[Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?
Michael Ströder
michael at stroeder.com
Thu Oct 27 17:27:39 UTC 2016
Fil Di Noto wrote:
> In my imagination, I see IPA for whatever reason comes accross a cert
> it signed in the past and decides it needs to compare the SAN to the
> directory. Then it sees the SAN doesn't have an associated principal
> in the directory. Who does IPA trust? (the directory obviously). IPA
> says, "is this SAN in the directory? No. Did I sign the cert? Yes.
> Should I trust the cert? Yes because I signed it."
Speaking purely from the PKI perspective without detailed knowledge about FreeIPA:
If the IPA directory is the only assured source of truth then the CA must revoke
the cert because its knowledge about the assertion made in the cert (this public
key belongs to this entity) cannot be verified anymore.
Note that the assertion made in a cert has to be valid for the *complete*
validity period of the cert, not only at the time of cert issuance.
=> If in doubt then revoke.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161027/e400e52d/attachment.p7s>
More information about the Freeipa-users
mailing list