URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
@frasertweedale I still think it's a useful and uncontroversial improvement. In
a matter of fact I don't understand why this simple and obvious change resulted
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
I'm closing this PR (and associated ticket).
I felt it was an uncontroversial change (and tbh it looks like there are numbers
on my side), but noone is
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tomaskrizek commented:
"""
@frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while
the Subject DN does not.
In that case, this PR makes sense to me as is. I
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
Ok,
> Why do you see a relationship between the subject DN of a X.509 and the
> directoryName general name in SAN X.509v3 extension?
According to RFC 5280
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tomaskrizek commented:
"""
@frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while
the Subject DN does not.
In that case, this PR makes sense to me as is. I
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
I'm on topic and I'm trying to understand your point. Why do you see a
relationship between the subject DN of a X.509 and the directoryName general
name in SAN
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
@tiran, could you please stay on topic? I haven't said anything about it being
mandatory, and it's not the point anyway (consistency between subject DN and
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
tiran commented:
"""
@jcholast I'm not familiar with any standard that mandates that a X.509 Subject
DN should identify a subject in a directory. Which standard mandates the
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
@jcholast OK. Let's put this PR on ice for now... I may well take up your
suggestion to allow subject DN to match LDAP DN, but I don't have the cycles
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
@frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs
need not match it as well - both the subject DN and DN SANs are supposed to
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
@tomaskrizek
1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP.
The _certificate_ subject DN need not match the LDAP DN.
11 matches
Mail list logo
