On Thu, 13 Aug 2015, Jan Cholasta wrote:
Hi,
On 13.8.2015 07:54, Fraser Tweedale wrote:
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5205
Simo wrote this some time ago in a (private) discussion about CSR
extensions:
On 23.1.2014 18:58, Simo Sorce wrote:
Regardless of which tool we use, I really think we need an API that will
list all the extensions, whether they are understood or not, and then we
need to proceed and check that only 'acceptable' extensions are passed
in. Dogtag will do extra validation for sure, but given IPA does access
control, then IPA needs to be sure of what it is checking.
Simo, does this still hold? Fraser's patch removes the check. Is it OK
or not?
I don't see a contradiction. Nothing prevents us from actually verifying
the certificate request against the certificate profile in IPA
framework and listing the outcome. This does not require to hardcode
actual extensions.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
