URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

martbab commented:
@frasertweedale What is the intended semantics of the checks against principal 
aliases in SAN? If the requestor can use only the aliases belonging to the 
entry of the recieving principal, then it should be enough to retrieve the 
entry by searching for the 'krbprincipalname' from --principal option, retrieve 
it, and then checking whether all values of dnsName/KRB5PrincipalName are a 
subset of Kerberos principal aliases.


See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to