Ian Pilcher via FreeIPA-devel wrote: > On 02/18/2018 07:22 PM, Fraser Tweedale wrote: >> Ultimately, the same problems exist for any kind of subject name and >> the only practical mitigation is short-lived certificates. With >> that in mind, given that Ian's proposal is scoped to only validatate >> IP Address altnames against data that are explicitly managed in >> FreeIPA, I don't object. I'm interested to hear other views. > > Thanks for the positive feedback. Anyone else want to chime in?
You'd need to ensure that the IP address exists in IPA but that it is owned/managed by the user/host/service making the request. > FYI, I've been working on the logic for validating the IP addresses in > my not-copious-spare time, and I hope to have something worth discussing > in the next week or so. Thanks, I look forward to it. rob _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org