Fil Di Noto wrote: > In my imagination, I see IPA for whatever reason comes accross a cert > it signed in the past and decides it needs to compare the SAN to the > directory. Then it sees the SAN doesn't have an associated principal > in the directory. Who does IPA trust? (the directory obviously). IPA > says, "is this SAN in the directory? No. Did I sign the cert? Yes. > Should I trust the cert? Yes because I signed it."
Speaking purely from the PKI perspective without detailed knowledge about FreeIPA: If the IPA directory is the only assured source of truth then the CA must revoke the cert because its knowledge about the assertion made in the cert (this public key belongs to this entity) cannot be verified anymore. Note that the assertion made in a cert has to be valid for the *complete* validity period of the cert, not only at the time of cert issuance. => If in doubt then revoke. Ciao, Michael.
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project