On 02.10.2013 13:10, Simo Sorce wrote:
- Original Message -
On 1.10.2013 22:08, Rob Crittenden wrote:
Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On
On 3.10.2013 09:41, Stef Walter wrote:
On 02.10.2013 13:10, Simo Sorce wrote:
- Original Message -
On 1.10.2013 22:08, Rob Crittenden wrote:
Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On
On 1.10.2013 22:08, Rob Crittenden wrote:
Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
- Original Message -
On 1.10.2013 22:08, Rob Crittenden wrote:
Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
It reminds me problems with key-rotation for
On 01.10.2013 12:32, Jan Cholasta wrote:
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
It
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
It reminds me
On 01.10.2013 21:57, Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM,
Simo Sorce wrote:
- Original Message -
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in
LDAP
(https://fedorahosted.org/freeipa/ticket/3259,
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in
LDAP
On Thu, Sep 05, 2013 at 10:28:36AM +0200, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in LDAP
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
It reminds me problems with key-rotation for DNSSEC.
Could we find common problems and
On Tue, Sep 10, 2013 at 11:10:25AM -0400, Dmitri Pal wrote:
Regarding SNI, it apparently is not supported in server-side NSS
(https://bugzilla.mozilla.org/show_bug.cgi?id=360421)
We need to either push for a solution to this or allow to switch to
mod_ssl.
Jan Pazdziora investigated
On 9.9.2013 17:54, Simo Sorce wrote:
On Mon, 2013-09-09 at 10:40 -0400, Rob Crittenden wrote:
Jan Cholasta wrote:
On 9.9.2013 16:02, John Dennis wrote:
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of
On Tue, 2013-09-10 at 10:30 +0200, Jan Cholasta wrote:
On 9.9.2013 17:54, Simo Sorce wrote:
On Mon, 2013-09-09 at 10:40 -0400, Rob Crittenden wrote:
Jan Cholasta wrote:
On 9.9.2013 16:02, John Dennis wrote:
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each
On 09/10/2013 08:49 AM, Simo Sorce wrote:
What if there is no IPA CA (CA-less)? Should we assume that the user has
their own CA in control and allow only certs signed by that single CA?
Regarding SNI, it apparently is not supported in server-side NSS
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow granular control over what CA is
trusted for what service (e.g. trust CA1 to issue certificates for
On Mon, 2013-09-09 at 11:17 +0200, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow granular control over what CA is
trusted
On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
Should each IPA service (LDAP, HTTP, PKINIT) have its own
distinctive set of trusted CAs, or is using one set for everything
good enough? Using distinctive sets would allow granular
On 9.9.2013 15:36, Simo Sorce wrote:
On Mon, 2013-09-09 at 11:17 +0200, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow granular
On 9.9.2013 16:05, John Dennis wrote:
On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
Should each IPA service (LDAP, HTTP, PKINIT) have its own
distinctive set of trusted CAs, or is using one set for everything
good enough? Using
On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote:
On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
I'd expect it to depend heavily on whether or not you're chaining up to
an external CA. Personally, I'd very much want to keep a different set
of trust anchors for PKINIT in that
On 09/09/2013 10:24 AM, Nalin Dahyabhai wrote:
On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote:
On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
I'd expect it to depend heavily on whether or not you're chaining up to
an external CA. Personally, I'd very much want to keep a different
On 9.9.2013 16:02, John Dennis wrote:
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow granular control over
Jan Cholasta wrote:
On 9.9.2013 16:02, John Dennis wrote:
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for everything good enough?
Using distinctive sets would allow granular control over what CA is
trusted for what
On Mon, 2013-09-09 at 16:19 +0200, Jan Cholasta wrote:
On 9.9.2013 15:36, Simo Sorce wrote:
On Mon, 2013-09-09 at 11:17 +0200, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one set for
On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
Good point. Isn't there an X509 extension (possibly part of PKIX?) which
restricts membership in the chain path to a criteria. In other words you
can require your sub-CA to be present in the chain. Sorry, but my memory
is a bit fuzzy
On Mon, 2013-09-09 at 10:40 -0400, Rob Crittenden wrote:
Jan Cholasta wrote:
On 9.9.2013 16:02, John Dennis wrote:
On 09/09/2013 05:17 AM, Jan Cholasta wrote:
Another question:
Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
set of trusted CAs, or is using one
Aren't the implementations of name constrains generally buggy, and therefore
not usable in real life?
On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai na...@redhat.com wrote:
On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
Good point. Isn't there an X509 extension (possibly part of
I would strongly argue for a separate CA list for PKINIT (service or
workstation login) vice HTTP (web browsing of semi-unknown sites). The trust
models are fundamentally different.
In the former case you are saying who is allowed to issue (conceivably
fraudulent) client certs that allow
On Mon, Sep 09, 2013 at 01:07:09PM -0700, Henry B. Hotz wrote:
On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai na...@redhat.com wrote:
On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
Good point. Isn't there an X509 extension (possibly part of PKIX?) which
restricts membership in
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in LDAP
(https://fedorahosted.org/freeipa/ticket/3259,
https://fedorahosted.org/freeipa/ticket/3520).
On 09/02/2013 04:49 AM, Petr Spacek wrote:
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in LDAP
(https://fedorahosted.org/freeipa/ticket/3259,
https://fedorahosted.org/freeipa/ticket/3520). This will be useful
for CA
On 22.8.2013 15:43, Jan Cholasta wrote:
Hi,
I'm currently investigating support for multiple CA certificates in LDAP
(https://fedorahosted.org/freeipa/ticket/3259,
https://fedorahosted.org/freeipa/ticket/3520). This will be useful for CA
certificate renewal
Hi,
I'm currently investigating support for multiple CA certificates in LDAP
(https://fedorahosted.org/freeipa/ticket/3259,
https://fedorahosted.org/freeipa/ticket/3520). This will be useful for
CA certificate renewal (https://fedorahosted.org/freeipa/ticket/3304,
37 matches
Mail list logo