On Thu, Jul 02, 2015 at 06:24:12PM +0200, Petr Spacek wrote:
> On 2.7.2015 16:33, Fraser Tweedale wrote:
> > Hi all,
> > 
> > cert-request ensures that any dNSName values in a CSR subjectAltName
> > requestExtension have a corresponding service/host principal in
> > FreeIPA and that their entries are writable by the bind principal.
> > 
> > It currently DOES NOT enforce CA ACLs for these alternative
> > principals, i.e. it does not check that there is a caacl rule
> > allowing issuance of certificates to each alt-principal (using the
> > chosen profile.)
> > 
> > Should it?  I'm leaning towards "yes" but I want other perspectives.
> 
> I would say 'it has to!' :-)
> 
> From my point of view, subjectAltName allows the entity possessing the private
> key for the the certificate to impersonate anything mentioned in
> SubjectAltName and CN ...
> 
Thanks Petr, that's enough corroboration for me.

Ticket: https://fedorahosted.org/freeipa/ticket/5096
Expect the patch Friday some time.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to