[Freeipa-devel] Re: Certificate enrollment, principal names
Dmitri Pal
dpal at redhat.com
Fri Nov 6 16:16:17 UTC 2009
Simo Sorce wrote:
> On Fri, 2009-11-06 at 09:08 -0500, Rob Crittenden wrote:
>
>> Simo Sorce wrote:
>>
>>> On Thu, 2009-11-05 at 13:21 -0500, Rob Crittenden wrote:
>>>
>>>> This is about right. What you're missing is storing the certificate
>>>> in
>>>> the service record. To do this we need to know what the target is.
>>>>
>>>> Nalin and I simply took two different approaches to sending this. We
>>>> can
>>>> easily support either method by making the principal an optional
>>>> attribute and looking for it in the CSR if not provided (assuming I
>>>> can
>>>> get my head around PKCS#10 enough to grab attributes).
>>>>
>>> Given we should prevent "tricks" from people the server side should
>>> really parse the CSR and validate it against the ACL IMO.
>>> Otherwise do we have any other part that checks that host
>>> foo.example.com is asking a certificate for itself and not for
>>> bar.example.com ?
>>>
>>> Simo.
>>>
>>>
>> When binding using machine credentials, in order to request a
>> certificate for any host they need to be in the managedBy attribute of
>> the target service entry.
>>
>
> I know, but I was referring to stuff like subjectAltName.
> Not sure if we need to test it against an ACL to be honest, but we need
> to validate that as well (and any other attribute that can affect client
> behavior). Whether this is done in IPA or in the CA is not really
> important as long as it is done by a component that have enough
> information to determine what is ok or not, depending on the "user"
> requesting the new cert.
> For example admin may be allowed to stuff just any random crap in
> subjectAltName but maybe a host shouldn't be.
>
> Simo.
>
>
How important is this check?
In the scenario:
* we already authenticated the peer - admin or host using kerberos
* we checked the access rights of the authenticated entity against the
principal name he tries to issue cert to
and determined that entity can do the operation
* now we also need to check the the subjectAltName? Why? What is the
attack scenario?
What are we trying to prevent with this check?
Thanks
Dmitri
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list