[Freeipa-devel] user certificates
Dmitri Pal
dpal at redhat.com
Thu Jun 12 03:10:21 UTC 2014
On 06/11/2014 09:18 PM, Fraser Tweedale wrote:
> On Wed, Jun 11, 2014 at 08:55:20AM -0400, John Dennis wrote:
>> On 06/11/2014 04:02 AM, Fraser Tweedale wrote:
>>> There are other use cases for user certificates, e.g. client
>>> authentication for HTTP or other network services. Perhaps you know
>>> of others - in which case let us know.
>> 802.11 wireless authentication using EAP-TLS
>>
>> A common discussion on the RADIUS mailing lists is the desire to deploy
>> using EAP-TLS but the difficulty of provisioning user certs is always
>> the stumbling block.
>>
> Thanks John,
>
> I've created http://www.freeipa.org/page/User_certificate_use_cases
> to collect and discuss these use cases.
I think it is important to differ short term and long term certificates
for users.
The long term certificates are used for authentication and signing. They
are put on devices like smart cards. They need to be associated with the
user in the back end. They can be revoked.
The short lived certificates do not need to be recorded on the server
side. They are just issued and since they do not live long there is no
need to record them in the back end or to try to revoke them. This IMO a
crucial difference.
For now we focus on the long living certificates for hosts, services,
devices and short lived certificates for any identity.
IMO long lived certs for users is a separate big use case that we
currently should set aside and solve after we solve the other use cases.
>
> Fraser
>
>> --
>> John
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list