On 11/05/09 11:22, Simo Sorce wrote:
On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
This is about right. What you're missing is storing the certificate
in
the service record. To do this we need to know what the target is.
Nalin and I simply took two different approaches to sending this. We
can
easily support either method by making the principal an optional
attribute and looking for it in the CSR if not provided (assuming I
can
get my head around PKCS#10 enough to grab attributes).
Given we should prevent "tricks" from people the server side should
really parse the CSR and validate it against the ACL IMO.
Otherwise do we have any other part that checks that host
foo.example.com is asking a certificate for itself and not for
bar.example.com ?
Simo.
CSR is parsed and validated by CA.
Andrew
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
