URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
@frasertweedale I still think it's a useful and uncontroversial improvement. In
a matter of fact I don't understand why this simple and obvious change resulted
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
I'm closing this PR (and associated ticket).
I felt it was an uncontroversial change (and tbh it looks like there are numbers
on my side), but noone is
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tomaskrizek commented:
"""
@frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while
the Subject DN does not.
In that case, this PR makes sense to me as is. I al
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
Ok,
> Why do you see a relationship between the subject DN of a X.509 and the
> directoryName general name in SAN X.509v3 extension?
According to RFC 5280 s
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tomaskrizek commented:
"""
@frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while
the Subject DN does not.
In that case, this PR makes sense to me as is. I al
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
I'm on topic and I'm trying to understand your point. Why do you see a
relationship between the subject DN of a X.509 and the directoryName general
name in SAN
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
@tiran, could you please stay on topic? I haven't said anything about it being
mandatory, and it's not the point anyway (consistency between subject DN and DN
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
@jcholast I'm not familiar with any standard that mandates that a X.509 Subject
DN should identify a subject in a directory. Which standard mandates the
relatio
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
@jcholast OK. Let's put this PR on ice for now... I may well take up your
suggestion to allow subject DN to match LDAP DN, but I don't have the cycles
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
@frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs
need not match it as well - both the subject DN and DN SANs are supposed to
ident
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
@tomaskrizek
1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP.
The _certificate_ subject DN need not match the LDAP DN.
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tomaskrizek commented:
"""
As I have understood from the mailing list discussion, we have two options:
1. We use this patch as is. That means Subject Alternative Name (SAN) DN always
12 matches
Mail list logo