[Freeipa-devel] [PATCH] 0038 cert-request: remove allowed extensions check
Alexander Bokovoy
abokovoy at redhat.com
Thu Aug 13 11:36:50 UTC 2015
On Thu, 13 Aug 2015, Jan Cholasta wrote:
>Hi,
>
>On 13.8.2015 07:54, Fraser Tweedale wrote:
>>The attached patch fixes
>>https://fedorahosted.org/freeipa/ticket/5205
>
>Simo wrote this some time ago in a (private) discussion about CSR
>extensions:
>
>On 23.1.2014 18:58, Simo Sorce wrote:
>>Regardless of which tool we use, I really think we need an API that will
>>list all the extensions, whether they are understood or not, and then we
>>need to proceed and check that only 'acceptable' extensions are passed
>>in. Dogtag will do extra validation for sure, but given IPA does access
>>control, then IPA needs to be sure of what it is checking.
>
>Simo, does this still hold? Fraser's patch removes the check. Is it OK
>or not?
I don't see a contradiction. Nothing prevents us from actually verifying
the certificate request against the certificate profile in IPA
framework and listing the outcome. This does not require to hardcode
actual extensions.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list