[Freeipa-devel] Re: Certificate enrollment, principal names
Dmitri Pal
dpal at redhat.com
Fri Nov 6 16:48:05 UTC 2009
Simo Sorce wrote:
> On Fri, 2009-11-06 at 08:21 -0800, Andrew Wnuk wrote:
>
>> Some of this random stuff could be filtered on the client side before
>> CSR is generated.
>>
>
> You can't trust the client, period.
>
> Simo.
>
>
>
This is where you lost me.
You can't trust the client unless it is authenticated.
But it authenticated so it is trusted to say what it wants.
If it wants something not allowed it would not be
allowed but at least after authentication you trust
client's claim that the client is actually the entity
it says it is. Where is the problem? That the client sends some garbage?
That the client's identity was hijacked?
If it was we either have a case of a stolen admin password and then I do
not think you can do a lot about it or
someone impersonated the host and requested a cert for a service that
this host is allowed to request certs for
so how you can distinguish it from a valid request?
Sorry, may be I am missing something but I still do not get the point.
Can someone explain please what we want to prevent from happening?
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list