On 11/05/09 11:34, Simo Sorce wrote:
On Thu, 2009-11-05 at 11:28 -0800, Andrew Wnuk wrote:
On 11/05/09 11:22, Simo Sorce wrote:
On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:

This is about right. What you're missing is storing the certificate
the service record. To do this we need to know what the target is.

Nalin and I simply took two different approaches to sending this. We
easily support either method by making the principal an optional
attribute and looking for it in the CSR if not provided (assuming I
get my head around PKCS#10 enough to grab attributes).

Given we should prevent "tricks" from people the server side should
really parse the CSR and validate it against the ACL IMO.
Otherwise do we have any other part that checks that host
foo.example.com is asking a certificate for itself and not for
bar.example.com ?


CSR is parsed and validated by CA.
How does the CA know "Who" asked for a specific cert ?


CA authenticates IPA and validates CSR, IPA authenticates and authorizes.


Freeipa-devel mailing list

Reply via email to