Issue #5024: Prevent creation of sub-CA if pathLenConstraint violated - freeipa

freeipa

#5024 Prevent creation of sub-CA if pathLenConstraint violated

Closed: wontfix 5 years ago by ftweedal. Opened 8 years ago by ftweedal.

When creating a sub-CA, we should determine the pathLen constraint of the entire certification chain and error if the sub-CA would be invalid due to violation.

This ticket is to track Dogtag ticket https://fedorahosted.org/pki/ticket/1383
and ensure that we handle this failure mode appropriately on the IPA side.

mkosek commented 8 years ago

Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.

Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

ftweedal commented 5 years ago

Closing WONTFIX. The main work is on PKI side. If we ever get around to implementing it at all, the changes on IPA side should be minimal if any.

Workaround: don't do that :)

Edited 5 years ago by ftweedal

Metadata Update from @ftweedal:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

low

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

Certificate management

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#5024 Prevent creation of sub-CA if pathLenConstraint violated Closed: wontfix 5 years ago by ftweedal. Opened 8 years ago by ftweedal.

Metadata

#5024 Prevent creation of sub-CA if pathLenConstraint violated

Closed: wontfix 5 years ago by ftweedal. Opened 8 years ago by ftweedal.