On Tue, Aug 30, 2016 at 08:48:58AM +0200, Jan Cholasta wrote: > On 29.8.2016 07:57, Fraser Tweedale wrote: > > On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote: > > > Hi, > > > > > > On 22.7.2016 07:18, Fraser Tweedale wrote: > > > > While I was poking around SAN-processing code, I decided to > > > > implement a small enhancement: allowing the subject principal's DN > > > > to appear in SAN. > > > > > > > > https://fedorahosted.org/freeipa/ticket/6112 > > > > > > > > Patch depends on my other patches 0090, 0092, 0093, 0094. > > > > > > I don't think this is how DN SANs are supposed to be handled. For example, > > > see this bit about DN name constraints in RFC 5280 section 4.2.1.10: > > > > > > Restrictions of the form directoryName MUST be applied to the subject > > > field in the certificate (when the certificate includes a non-empty > > > subject field) and to any names of type directoryName in the > > > subjectAltName extension. > > > > > > It would appear to me that DN SANs only provide additional values to the > > > subject name of the certificate and thus should be treated the same way as > > > the subject name. > > > > > > We don't impose any restrictions on subject names with regard to DN of the > > > subject LDAP entry, so I think we should not do it for DN SANs as well. > > > Or, > > > alternatively, we should do it for both. > > > > > I disagree. Supporting an altname containing the LDAP DN is a valid > > use case. There is no need to apply the same rules to Subject DN > > and Directory Name altname > > Nowhere in the RFC is it stated that there is any semantic difference > between the subject name and DN SANs, so I don't see why should we make DN > SANs special. > > > (otherwise, why would the Directory Name > > altname type even exist?). > > To allow multiple subject DNs. > > > There are other possible values but this > > one is trivial to validate so why not? > > I have no issue with validation per se, I just find it very odd that the > code would allow me to request a cert with any LDAP entry DN in subject name > but only one specific LDAP entry DN in DN SAN. > > > > > As for the RFC excerpt, this is about the Name Constraints > > extension. In the unlikely case that a superior certificate has a > > Name Constraints extension that applies to DNs, the way we construct > > the Subject DN is probably the bigger problem ;) > > Yes, this particular excerpt is about name constraints, but I doubt that if > you looked anywhere else, it would say something different about the > relationship of subject name and DN SANs. > RFC 5280 doesn't say anything about the relationship between SDN and DN SAN. All it says is that if there is a name constraint, all the names must satisfy the constraint. A name constraint *could* imply some "shared ancestry" relationships across all DNs on a cert, but this is is not necessarily the case, e.g. if the name constraint only has excludedSubtrees.
> > > > Take the feature or leave it (after all, noone has asked for it yet) > > but IMO the usage is valid. > > > > Cheers, > > Fraser > > > > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
