On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote: > > This is about right. What you're missing is storing the certificate > in > the service record. To do this we need to know what the target is. > > Nalin and I simply took two different approaches to sending this. We > can > easily support either method by making the principal an optional > attribute and looking for it in the CSR if not provided (assuming I > can > get my head around PKCS#10 enough to grab attributes).
Given we should prevent "tricks" from people the server side should really parse the CSR and validate it against the ACL IMO. Otherwise do we have any other part that checks that host foo.example.com is asking a certificate for itself and not for bar.example.com ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel