[Freeipa-devel] caacl enforcement for subjectAltName principals
Fraser Tweedale
ftweedal at redhat.com
Fri Jul 3 03:14:57 UTC 2015
On Thu, Jul 02, 2015 at 06:24:12PM +0200, Petr Spacek wrote:
> On 2.7.2015 16:33, Fraser Tweedale wrote:
> > Hi all,
> >
> > cert-request ensures that any dNSName values in a CSR subjectAltName
> > requestExtension have a corresponding service/host principal in
> > FreeIPA and that their entries are writable by the bind principal.
> >
> > It currently DOES NOT enforce CA ACLs for these alternative
> > principals, i.e. it does not check that there is a caacl rule
> > allowing issuance of certificates to each alt-principal (using the
> > chosen profile.)
> >
> > Should it? I'm leaning towards "yes" but I want other perspectives.
>
> I would say 'it has to!' :-)
>
> From my point of view, subjectAltName allows the entity possessing the private
> key for the the certificate to impersonate anything mentioned in
> SubjectAltName and CN ...
>
Thanks Petr, that's enough corroboration for me.
Ticket: https://fedorahosted.org/freeipa/ticket/5096
Expect the patch Friday some time.
More information about the Freeipa-devel
mailing list