[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
jcholast
freeipa-github-notification at redhat.com
Tue Nov 29 09:34:14 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
jcholast commented:
"""
@frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs need not match it as well - both the subject DN and DN SANs are supposed to identify the subject in the directory, and for us the directory is LDAP. There should be no special casing one way or the other, if something is allowed for the subject DN it must be allowed for DN SANs and vice-versa (with the exception of the special handling of the most specific CN in subject DN of server certificates). The fact that we currently require a non-LDAP subject DN in `cert-request` is a different issue. All I'm asking for is consistency. If we first allowed the subject DN to match the LDAP DN I would be perfectly happy with this PR.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263521018
More information about the Freeipa-devel
mailing list