[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

Simo Sorce simo at redhat.com
Thu Jan 9 15:49:58 UTC 2014


On Thu, 2014-01-09 at 10:44 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 01/09/2014 03:12 PM, Simo Sorce wrote:

> >>> Also maybe we should allow admins to bypass the need to have an actual
> >>> object to represent the alt name ?
> 
> I'd rather not. This would allow a rogue admin to create a cert for 
> www.google.com. Sure, they could also create a host for that but forcing 
> them to add more entries increases the chances of them getting caught 
> doing it.

They can remove the host right after they create a cert, I honestly do
not think this is a valid concern. If your admin is rouge he can already
take full ownership of your infrastructure in many ways, preventing
setting a name in a cert doesn't really make a difference IMO.

However I would be ok to limit this to some new "Security Admin/CA
Admin" role that is not assigned by default.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list