On Wed, Jun 08, 2016 at 12:27:10PM -0400, Nalin Dahyabhai wrote:
On Thu, Jun 09, 2016 at 12:40:11AM +1000, Fraser Tweedale wrote:
> On Wed, Jun 08, 2016 at 09:51:17AM -0400, Nalin Dahyabhai wrote:
> > The patch looks more or less reasonable (nits, mainly formatting and
> > docs), but it's not clear to me how the notion of issuers relates to
> > sub-CAs described at
http://www.freeipa.org/page/V4/Sub-CAs. Are they
> > the same? If not, what's the difference?
>
> They are the same, but "issuer" terminology is used because in the
> future we could offer unrelated CAs through the same interface.
So issuers correspond roughly to a signer whose signing certificate is
being exposed through IPA, one of possibly many known to the server,
which may or may not be hierarchically related to others known to the
server?
That's correct.
What form do the issuer names take? The name suggests to me that
they're distinguised names. If they are DNs, should we be validating
the format of them somewhere on the client before hitting the server?
They are names (CN) of the CA objects in IPA. IPA uses the term
"CA" but this already has meaning in Certmonger.
I'm definitely open to other ideas.
Can we get the design doc updated to detail the additions being made
to
getcert's CLI, like it does for the ipa command?
Ballpark, is there an upper limit on how many issuers you expect to see
a typical server supporting?
No idea; anything up to 10 seems reasonable, more than 20 seems
rather unlikely... but who knows? Maybe in some large organisation
every department, or office, or team, gets a CA?
Are the names of the issuers that are known to a server
discoverable?
They are; Certmonger can ask IPA for them.
> Let me know the nits and where to put docs :)
Take care to not overflow params[] in getcert.c. Really, at some point
that should be changed to be a list or a dynamically-sized array, but
testers will always try the equivalent of pressing all of the buttons.
Do you want me to bump the size, or is it just something to be aware
of? I don't think there are 50 params yet.
Fix line wrapping in ipa.c (calls to submit_or_poll_uri() in hunks
that
start at lines 440 and 455 have a newline after an opening parenthesis).
Add a description of the -X flag to src/getcert-rekey.1.in.
Add information about $CERTMONGER_CA_ISSUER to doc/submit.txt and
doc/helpers.txt, and information about the "template-issuer" property to
doc/api.txt (it's probably already missing a few things, but no need to
compound that).
No problem, thanks!