from:"Christina Fu"

Re: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance

2016-03-14 Thread Christina Fu




On 03/12/2016 11:51 PM, Fraser Tweedale wrote:

On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote:

Hi Fraser,

I think the general idea looks good.  If tested to work, I actually think
you should have it replace the current caServerCert.cfg and make it the
default server cert profile for Dogtag.  So I'd suggest you name things more
generically.


Thanks Christina for the feedback.  W.r.t naming, can you clarify
what you think should be more generic and why?
Actually it was more of a preemptive comment that was not specifically 
directed towards anything in your current design.
I just took a closer look, and I think your new profile plugin name 
(|SubjectAltNameCopyCNDefault|) sounds good.


About replacing existing caServerCert.cfg, consider keeping it, but
1. name the new profile something like caServerSANCert.cfg
2. make caServerSANCert.cfg default (enable it), and disable 
caServerCert.cfg by default


Anyway, you get the idea.  The point is that I think we should 
fundamentally adhere to the standard in Dogtag, so such a fix should be 
part of the Dogtag default.


thanks,
Christina




Just for your reference, there is an implementation that injects SAN(s) into
server certs at time of Dogtag instance creation.  It also allows one to put
multiple SANs in one ssl server cert:
https://fedorahosted.org/pki/ticket/1316#comment:14
again, it's only limited to pkispawn option so it serves a different
purpose.

Christina

On 03/10/2016 05:06 PM, Fraser Tweedale wrote:

On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote:

Hi,

On 29.2.2016 07:59, Fraser Tweedale wrote:

Hi all (especially those interested in certificates),

Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:

- #4970 Server certificate profile should always include a Subject Alternate 
name for the host
- #5706 [RFE] Support SAN-only certificates

http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance

The design is a WIP and there is no code for it yet.  Looking for
feedback and (hopefully) validation of the approach before
committing cycles to implementing new profile components in Dogtag.

1) Do wildcard certificates need special handling? There is no mention of
them in the design doc.


No special handling of wildcard certs is needed but I've added some
commentary to the design page.


2) Should we accept invalid CSR where CN length is greater than 64? I
wouldn't be surprised if these existed in the wild.


Good question.  I agree such CSRs probably exist.  There are various
ways to handle them:

a) Reject request (with useful message; instruction to issue
SAN-only request instead)

b) Issue non-compliant cert with overlong CN.  It will be helpful to
find out how important clients handle such certs.

c) Accept the CSR but "promote" the overlong CN from CSR into a SAN
dnsName, and issue a SAN-only cert.  Some clients may not handle
such certs very well.

Personally I like (c), because the user intent is clear but we still
issue a valid cert, however, I expect there are clients out there
(particularly in "enterprise" environments?) that will not handle it
well.

I've copied pki-devel@ to solicit additional insights here :)


3) Sometimes it is not clear which parts belong to Dogtag and which to IPA
itself. For example the upgrade section - I assume Dogtag should update
registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated
anywhere.


Thanks, I've added clarifying remarks.  In brief: yes Dogtag should
update registry.cfg, but FreeIPA should update the profile.

Thank you for your feedback, Jan.
Fraser

___
Pki-devel mailing list
pki-de...@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance

2016-03-11 Thread Christina Fu


Hi Fraser,

I think the general idea looks good.  If tested to work, I actually 
think you should have it replace the current caServerCert.cfg and make 
it the default server cert profile for Dogtag.  So I'd suggest you name 
things more generically.


Just for your reference, there is an implementation that injects SAN(s) 
into server certs at time of Dogtag instance creation.  It also allows 
one to put multiple SANs in one ssl server cert:

https://fedorahosted.org/pki/ticket/1316#comment:14
again, it's only limited to pkispawn option so it serves a different 
purpose.


Christina

On 03/10/2016 05:06 PM, Fraser Tweedale wrote:

On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote:

Hi,

On 29.2.2016 07:59, Fraser Tweedale wrote:

Hi all (especially those interested in certificates),

Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:

- #4970 Server certificate profile should always include a Subject Alternate 
name for the host
- #5706 [RFE] Support SAN-only certificates

http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance

The design is a WIP and there is no code for it yet.  Looking for
feedback and (hopefully) validation of the approach before
committing cycles to implementing new profile components in Dogtag.

1) Do wildcard certificates need special handling? There is no mention of
them in the design doc.


No special handling of wildcard certs is needed but I've added some
commentary to the design page.


2) Should we accept invalid CSR where CN length is greater than 64? I
wouldn't be surprised if these existed in the wild.


Good question.  I agree such CSRs probably exist.  There are various
ways to handle them:

a) Reject request (with useful message; instruction to issue
SAN-only request instead)

b) Issue non-compliant cert with overlong CN.  It will be helpful to
find out how important clients handle such certs.

c) Accept the CSR but "promote" the overlong CN from CSR into a SAN
dnsName, and issue a SAN-only cert.  Some clients may not handle
such certs very well.

Personally I like (c), because the user intent is clear but we still
issue a valid cert, however, I expect there are clients out there
(particularly in "enterprise" environments?) that will not handle it
well.

I've copied pki-devel@ to solicit additional insights here :)


3) Sometimes it is not clear which parts belong to Dogtag and which to IPA
itself. For example the upgrade section - I assume Dogtag should update
registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated
anywhere.


Thanks, I've added clarifying remarks.  In brief: yes Dogtag should
update registry.cfg, but FreeIPA should update the profile.

Thank you for your feedback, Jan.
Fraser

___
Pki-devel mailing list
pki-de...@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Karma Request for JSS 4.2.6-39 on Fedora 24

2016-05-20 Thread Christina Fu

Had to respin due to small piece of incompatible code that failed to 
compile on rhel7.


The following candidate builds of JSS 4.2.6-39 for Fedora 24 (final) 
consist of the following:
jss-4.2.6-40.fc24 
<http://koji.fedoraproject.org/koji/buildinfo?buildID=767180>


Please provide Karma for these builds in Bodhi located at:

https://bodhi.fedoraproject.org/updates/FEDORA-2016-c036afbe30

Additionally, the following builds have been provided for Fedora 
25(rawhide):
jss-4.2.6-40.fc25 
<http://koji.fedoraproject.org/koji/buildinfo?buildID=767181>


Thanks,
Christina

On 05/19/2016 02:38 PM, Christina Fu wrote:
The following candidate builds of JSS 4.2.6-39 for Fedora 24 (final) 
consist of the following:
jss-4.2.6-39.fc24 
<http://koji.fedoraproject.org/koji/buildinfo?buildID=721052>


Please provide Karma for these builds in Bodhi located at:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-d3c8f022c5

Additionally, the following builds have been provided for Fedora 25 
(rawhide):
jss-4.2.6-39.fc25 
<http://koji.fedoraproject.org/koji/buildinfo?buildID=767176>


Thanks,
Christina


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Karma Request for JSS 4.2.6-39 on Fedora 24

2016-05-20 Thread Christina Fu

The following candidate builds of JSS 4.2.6-39 for Fedora 24 (final) 
consist of the following:
jss-4.2.6-39.fc24 



Please provide Karma for these builds in Bodhi located at:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-d3c8f022c5

Additionally, the following builds have been provided for Fedora 25 
(rawhide):
jss-4.2.6-39.fc25 



Thanks,
Christina
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance

Re: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance

Re: [Freeipa-devel] Karma Request for JSS 4.2.6-39 on Fedora 24

[Freeipa-devel] Karma Request for JSS 4.2.6-39 on Fedora 24

4 matches

Site Navigation

Mail list logo

Footer information