[Freeipa-devel] Re: Certificate enrollment, principal names
Simo Sorce
ssorce at redhat.com
Fri Nov 6 18:24:34 UTC 2009
On Fri, 2009-11-06 at 12:58 -0500, Dmitri Pal wrote:
>
> This all makes sense but Rob's question from the bug is still open:
>
> "The question is, even if we can look at subjectAltName in the IPA
> backend how
> will we prevent users from mis-using subjectAltName, such as
> requesting
> a cert
> for a host they don't control?"
My natural paranoid answer is: by making a white list of what is allowed
and refusing anything else.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list