On 29.8.2016 07:57, Fraser Tweedale wrote:
On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote:
Hi,
On 22.7.2016 07:18, Fraser Tweedale wrote:
While I was poking around SAN-processing code, I decided to
implement a small enhancement: allowing the subject principal's DN
to appear in SAN.
https://fedorahosted.org/freeipa/ticket/6112
Patch depends on my other patches 0090, 0092, 0093, 0094.
I don't think this is how DN SANs are supposed to be handled. For example,
see this bit about DN name constraints in RFC 5280 section 4.2.1.10:
Restrictions of the form directoryName MUST be applied to the subject
field in the certificate (when the certificate includes a non-empty
subject field) and to any names of type directoryName in the
subjectAltName extension.
It would appear to me that DN SANs only provide additional values to the
subject name of the certificate and thus should be treated the same way as
the subject name.
We don't impose any restrictions on subject names with regard to DN of the
subject LDAP entry, so I think we should not do it for DN SANs as well. Or,
alternatively, we should do it for both.
I disagree. Supporting an altname containing the LDAP DN is a valid
use case. There is no need to apply the same rules to Subject DN
and Directory Name altname
Nowhere in the RFC is it stated that there is any semantic difference
between the subject name and DN SANs, so I don't see why should we make
DN SANs special.
(otherwise, why would the Directory Name
altname type even exist?).
To allow multiple subject DNs.
There are other possible values but this
one is trivial to validate so why not?
I have no issue with validation per se, I just find it very odd that the
code would allow me to request a cert with any LDAP entry DN in subject
name but only one specific LDAP entry DN in DN SAN.
As for the RFC excerpt, this is about the Name Constraints
extension. In the unlikely case that a superior certificate has a
Name Constraints extension that applies to DNs, the way we construct
the Subject DN is probably the bigger problem ;)
Yes, this particular excerpt is about name constraints, but I doubt that
if you looked anywhere else, it would say something different about the
relationship of subject name and DN SANs.
Take the feature or leave it (after all, noone has asked for it yet)
but IMO the usage is valid.
Cheers,
Fraser
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
