On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
> This is about right. What you're missing is storing the certificate
> in 
> the service record. To do this we need to know what the target is.
> Nalin and I simply took two different approaches to sending this. We
> can 
> easily support either method by making the principal an optional 
> attribute and looking for it in the CSR if not provided (assuming I
> can 
> get my head around PKCS#10 enough to grab attributes).

Given we should prevent "tricks" from people the server side should
really parse the CSR and validate it against the ACL IMO.
Otherwise do we have any other part that checks that host
foo.example.com is asking a certificate for itself and not for
bar.example.com ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to