Issue #6526: remove "request certificate with subjectaltname" permission - freeipa

freeipa

#6526 remove "request certificate with subjectaltname" permission

Closed: Fixed None Opened 7 years ago by ftweedal.

We currently have a "request certificate with subjectaltname" permission.

subjectAltName is required or relevant in most certificate use cases (esp. TLS,
where carrying DNS name in Subject DN CN attribute is deprecated.)

Therefore it does not really make sense to have a special permission for this,
over and above "request certificate" permission.

Furthermore, in IPA specifically:

we rigorously validate contents of SAN against subject principal data
the "request certificate with subjectaltname" permission check is
currently waived for self-service requests or if the operator is a host
principal.

Therefore, we should just remove this permission and remove associated code
from cert_request.

mbabinsk commented 7 years ago

master:

bdbb1c3 Remove "Request Certificate with SubjectAltName" permission

Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#6526 remove "request certificate with subjectaltname" permission Closed: Fixed None Opened 7 years ago by ftweedal.

Metadata

#6526 remove "request certificate with subjectaltname" permission

Closed: Fixed None Opened 7 years ago by ftweedal.