Simo Sorce wrote:
> On Thu, 2009-11-05 at 11:28 -0800, Andrew Wnuk wrote:
>   
>> On 11/05/09 11:22, Simo Sorce wrote:
>>     
>>> On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
>>>    
>>>       
>>>> This is about right. What you're missing is storing the certificate
>>>> in
>>>> the service record. To do this we need to know what the target is.
>>>>
>>>> Nalin and I simply took two different approaches to sending this. We
>>>> can
>>>> easily support either method by making the principal an optional
>>>> attribute and looking for it in the CSR if not provided (assuming I
>>>> can
>>>> get my head around PKCS#10 enough to grab attributes).
>>>>      
>>>>         
>>> Given we should prevent "tricks" from people the server side should
>>> really parse the CSR and validate it against the ACL IMO.
>>> Otherwise do we have any other part that checks that host
>>> foo.example.com is asking a certificate for itself and not for
>>> bar.example.com ?
>>>
>>> Simo.
>>>
>>>    
>>>       
>> CSR is parsed and validated by CA.
>>     
>
> How does the CA know "Who" asked for a specific cert ?
>
> Simo.
>
>   
The server should look at the identity of the peer who authenticated
when the connection was established.
It can be admin using his password or a host using his keytab or OTP.
I think Rob figured out how to factor this into the aci validation and
the code to do it already there.
Rob?


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to