URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: edited

Changed field: body
Original value:
"""
The code is obviously is not the final version, however, I would like to know if I'm on the right path.

AFAIK we should check if the SAN extension is provided and if it has DNSName info.

Fix: https://pagure.io/freeipa/issue/6663
"""

URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

frasertweedale commented:
"""
Was there agreement that this should be implemented? (I am personally
against it, because the next release should update the default profile to use
the new CommonNameToSanExtDefault profile component).

If we do implement this, IMO it should be a per-profile configuration, because there may
be legitimate use cases where SAN is not needed.

If we do pursue the current approach, we should further check not only that SAN
is present, but that it contains a DNSName. Put another way, with the current patch,
SAN can be present, but it might contain only KRB5PrincipalName and no DNSName,
and therefore the warning will not show, but it probably should have warned.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130

URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

HonzaCholasta commented:
"""
@frasertweedale, I'm not aware of any agreement and I'm against this as well.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300375495

URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

pvoborni commented:
"""
AFAIK, there was not an agreement not implementing this, otherwise the ticket would be closed. The ticket #6663 was created to warn until the change in profiles is implemented(#4970). It was mentioned yesterday on IPA meeting that we want to warn - when discussing: https://bugzilla.redhat.com/show_bug.cgi?id=1445345 and https://bugzilla.redhat.com/show_bug.cgi?id=1445927
"""

See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300401288

URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

pvoborni commented:
"""
I don't think it makes sense to spend time on configuration of warning - that is larger change (ldap attr, schema, api...) and as such out of scope of 4.5.

Simple warning is IMO good, but it should be worded in a sense that SAN is not always needed. Probably mention in what general use cases it is needed e.g. web services/pages.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300491247

URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773

URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773