On 2.7.2015 16:33, Fraser Tweedale wrote:
> Hi all,
> 
> cert-request ensures that any dNSName values in a CSR subjectAltName
> requestExtension have a corresponding service/host principal in
> FreeIPA and that their entries are writable by the bind principal.
> 
> It currently DOES NOT enforce CA ACLs for these alternative
> principals, i.e. it does not check that there is a caacl rule
> allowing issuance of certificates to each alt-principal (using the
> chosen profile.)
> 
> Should it?  I'm leaning towards "yes" but I want other perspectives.

I would say 'it has to!' :-)

>From my point of view, subjectAltName allows the entity possessing the private
key for the the certificate to impersonate anything mentioned in
SubjectAltName and CN ...

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to