[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Simo Sorce
simo at redhat.com
Thu Jan 9 14:04:16 UTC 2014
On Thu, 2014-01-09 at 09:51 +0100, Martin Kosek wrote:
> On 01/09/2014 12:26 AM, Simo Sorce wrote:
> > On Thu, 2013-12-05 at 14:37 +0100, Jan Cholasta wrote:
> >> Hi,
> >>
> >> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3977>.
> >
> > See the additional comments on 3977, I think this patch should be NACKed
> > with extreme prejudice if it allows setting arbitrary subjectAltNames.
> >
> > Simo.
> >
>
> It does not allow them - SANs are being authorized by using the managedBy
> attribute on the SAN-ed host/service (i.e. host-add-managedby/service-add-host
> commands).
This means that in order to add a subjectAltName you have to register a
Host with that name ? That is not really convenient, but if it works at
least it properly constrains potential hijacking.
> But you are right that the authorization part should not be taken lightly and
> should be verified before we allow SANs in default profile. I added a comment
> in the Trac as well.
Yes we definitely need a test to make 100% sure this cannot be worked
around, the security consequences would be disastrous.
Also maybe we should allow admins to bypass the need to have an actual
object to represent the alt name ?
We will need this type of functionality if we want to allow admins to
create wildcard certificates anyway, which is another important use case
for hosting/cloud-like services.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list