Hi Rob, Am Samstag, 17. April 2010 05:43:15 schrieb Rob Crittenden: > ... > I'm not worried about extraneous bug reports. The advantage of a > bugzilla is it doesn't let me forget things to fix. If you want to be > cautious you can always report problems on the list and we can address > them as they come up, either with 1-liner fixes, explanations or bug > filings. I'm fine with reporting problems on the list as long as real > problems eventually end up as bugs. >
Great. So I'll continue to post my observations here on the list. And if you say it's worth a bug report, I'll open one. > ... > I'm not too keen on asking too many more questions during the > installation, the biggest problem being if a user decides against using > dogtag. Well, I understand the point. But someone can always just press return, if the defaults are good. Other method would be to ask for an "express" or "expert/custom" installation. So all the boring questions for experts could be hidden from the "normal" user, but the installation is open to be used by more sophisticated users. > > If one uses dogtag we set the subject in a way that regardless of the > subject in the CSR we just use the CN value. So we have ultimate control > over the issued subject. > > With the self-signed CA we can only reject certificates that don't match > what we allow. This isn't very user friendly but is the best we can do > using the current NSS command-line tools we use for issuing certs. The > NSS tools provide sort of a poor-man's CA so we do the best we can, it > just isn't that flexible. > I think it's a well chosen tradeoff for an "all in one system" like freeIPA to use the cn-value for internal things, and let the rest (o, ou, e, st, etc.) left to the user. Maybe it could be a goal for v3 or v4 to make cn customizeable, so every foreign ca could be used. Best regards, Oli -- Oliver Burtchen, Berlin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
