On 01/09/2014 04:49 PM, Simo Sorce wrote:
> On Thu, 2014-01-09 at 10:44 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/09/2014 03:12 PM, Simo Sorce wrote:
>>>>> Also maybe we should allow admins to bypass the need to have an actual
>>>>> object to represent the alt name ?
>> I'd rather not. This would allow a rogue admin to create a cert for
>> www.google.com. Sure, they could also create a host for that but forcing
>> them to add more entries increases the chances of them getting caught
>> doing it.
> They can remove the host right after they create a cert, I honestly do
> not think this is a valid concern. If your admin is rouge he can already
> take full ownership of your infrastructure in many ways, preventing
> setting a name in a cert doesn't really make a difference IMO.
> However I would be ok to limit this to some new "Security Admin/CA
> Admin" role that is not assigned by default.
Ok, let's reach some conclusion here. I would really like to not defer this
feature for too long, it is quite wanted. Would creating new virtual operation
"Request certificate with SAN" make the situation better? It would not be so
difficult to do, the check_access function can already access virtual operation
name as a parameter, we just need to call it.
Freeipa-devel mailing list