[Freeipa-devel] Re: Certificate enrollment, principal names
Simo Sorce
ssorce at redhat.com
Thu Nov 5 20:57:36 UTC 2009
On Thu, 2009-11-05 at 11:53 -0800, Andrew Wnuk wrote:
> >> CSR is parsed and validated by CA.
> >>
> > How does the CA know "Who" asked for a specific cert ?
> >
> > Simo.
> >
> >
> CA authenticates IPA and validates CSR, IPA authenticates and
> authorizes.
Yes I know, this is the problem.
IPA is almost blind about what's in the CSR (which comes straight from
the client), and the RA trust IPA to make "correct" requests.
So we need to verify within the IPA server that a client is not trying
to sneak stuff in fields like subjectAltName and any other field a
client may rely on for authentication/authorization purposes.
Rob just opened a bug about that.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list