Re: [Pki-devel] [PATCH] Lightweight CAs

On 9/18/2015 1:46 PM, Ade Lee wrote: >>6. Assuming authority DN is unique, we can add --issuer <DN> option >>tothese commands: >>* pki ca-cert-find --issuer <dn> >>* pki ca-cert-request-submit --issuer <dn> >>* pki client-cert-find --issuer <dn> >>* pki client-cert-request --issuer <dn> >> > >If we do this, then we need to be sure that the DN is normalized - both >on input -- ie. when the subca is created (we need to do this in any >case) and also on processing in the CLI. > >I'm ok with offering this as an option (maybe --issuer_dn), but the >primary (and initially required option) will be using UUID. We can >defer this mechanism to another ticket/patch. Please open one. Per IRC discussion we agreed with these options: * --issuer-id <ID> * --issuer-dn <DN> to be added to the ca-cert-* and client-cert-request commands. For the client-cert-find command we can only provide this option: * --issuer-dn <DN> since issuer ID is irrelevant on the client. Personally I think the issuer DN would be more useful since that's the value that you see in certificates, so it's more consistent everywhere, and no need to do a lookup to find the issuer ID. Also, although most likely we will copy & paste the ID or DN anyway, the DN is easier to read and confirm that you're submitting the request to the right authority. -- Endi S. Dewata