On Thu, Jul 02, 2015 at 06:24:12PM +0200, Petr Spacek wrote:
> On 2.7.2015 16:33, Fraser Tweedale wrote:
> > Hi all,
> > cert-request ensures that any dNSName values in a CSR subjectAltName
> > requestExtension have a corresponding service/host principal in
> > FreeIPA and that their entries are writable by the bind principal.
> > It currently DOES NOT enforce CA ACLs for these alternative
> > principals, i.e. it does not check that there is a caacl rule
> > allowing issuance of certificates to each alt-principal (using the
> > chosen profile.)
> > Should it? I'm leaning towards "yes" but I want other perspectives.
> I would say 'it has to!' :-)
> From my point of view, subjectAltName allows the entity possessing the private
> key for the the certificate to impersonate anything mentioned in
> SubjectAltName and CN ...
Thanks Petr, that's enough corroboration for me.
Expect the patch Friday some time.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code