Simo Sorce wrote:
On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
But maybe I'm not seeing the proper priorities here. Perhaps it's
more
of a problem because clients are easier to update with bugfixes than
the server? Or maybe the preference for the client is for
scalability
reasons? Could you tell me more about why you prefer a client
implementation?
Making client responsible for generating the certificate signing
request serves several purposes where privacy is one of main benefits:
access to private key stays at the client side.
I would definitely veto any scheme where the client must send the
private key to the server. I thought the server would generate the CSR,
but then it would be sent to the client for signing ?
I doubt any SSL library will let you disconnect CSR generation in this
way (fairly certain not in NSS anyway).
rob
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
