On Mon, Jan 7, 2013 at 10:03 PM, Alex Harvey <alexharv...@gmail.com> wrote:
> Hi Andy, > > On Tuesday, January 8, 2013 6:19:40 AM UTC+11, Andy Parker wrote: >> >> On Sat, Jan 5, 2013 at 8:28 AM, Alex Harvey <alexh...@gmail.com> wrote: >> >>> >>> From reading the help page for puppet agent I tend to agree with the >>> Greg Boug who raised the issue that --digest ought to affect both the >>> algorithm used to generate a fingerprint (which it apparently does) and >>> also the algorithm used to generate the CSR. >>> >> >> I would be a little wary of conflating these things together. It isn't >> clear to me how much the --digest should affect. >> > > Yes I am also wary. > > Here's what I can see --digest doing so far - > > [snip] > They all look fairly consistent in dealing with the fingerprint of something. > > > I also note a comment by Jeff Weiss in lib/puppet/ssl/host.rb - > > [snip] > > I am yet to fully get my head around what to_pson is used for. However, I > am wondering if this move to FIPS 140-2 compliance and Jeff's comment about > ruby segfaulting when using MD5 means I should handle a case where neither > SHA1 nor SHA256 is available differently. > > to_pson is what generates the JSON (PSON is because of a collision that happened with ActiveSupport and so we hand to rename a module and the name started leaking out) that we send as a response in web requests, or anywhere that we need to show it as JSON. > So perhaps a new option is needed to choose (1) the algorithm used to > generate a CSR (2) the algorithm used to create a certificate using puppet > cert generate, (3) option used via puppet ca generate. > > Or maybe all this is too ambitious and I should just refactor to create a > class that takes care of signing a certificate and have it gracefully > handle the situation where SHA256 isn't available. > > It is as ambitious as you want it to be :) I've found all of the certification handling stuff pretty hard to follow, so I would be all ears on what we could do to make it work better/be more consistent/be easier to use. > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-dev/-/Bql3ya0CPX8J. > > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
