[Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
Jan Cholasta
jcholast at redhat.com
Fri Aug 26 08:41:37 UTC 2016
Hi,
On 22.7.2016 07:18, Fraser Tweedale wrote:
> While I was poking around SAN-processing code, I decided to
> implement a small enhancement: allowing the subject principal's DN
> to appear in SAN.
>
> https://fedorahosted.org/freeipa/ticket/6112
>
> Patch depends on my other patches 0090, 0092, 0093, 0094.
I don't think this is how DN SANs are supposed to be handled. For
example, see this bit about DN name constraints in RFC 5280 section
4.2.1.10:
Restrictions of the form directoryName MUST be applied to the subject
field in the certificate (when the certificate includes a non-empty
subject field) and to any names of type directoryName in the
subjectAltName extension.
It would appear to me that DN SANs only provide additional values to the
subject name of the certificate and thus should be treated the same way
as the subject name.
We don't impose any restrictions on subject names with regard to DN of
the subject LDAP entry, so I think we should not do it for DN SANs as
well. Or, alternatively, we should do it for both.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list