Maybe ML is better suited, but I think there is a misunderstanding. Multiple certs for same CN are expected. CN being used to identify role.
FWIW, I've just written almost exactly the same code as the Hashicorp code and I do think there's a misunderstanding here.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
CN is a ambiguous name by which an object is know in some limited scope and conforms to the naming conventions of the associated scope.
-
Any principal mapping to values in a subject dn at all needs to be scoped to an issuer.
-
In this code I see a chain being built above and the comparison happening out of the scope of the issuer against ambiguous values.
-
I just verified that the conditions are verified within the scope of the issues / trusted chain.https://github.com/hashicorp/vault/blob/master/builtin/credential/cert/path_login.go#L201 …
-
Yes I saw it made sure it was trusted chain, that’s not the concern though.
-
I'm not sure what your concern is. We expect non-unique certs and allow restrictions by issuer. Our mailing list is a better for discussions
-
As coded any CA they trust is expected to behave in the way this code expects this is likely not true In practice.
-
Mapping should be scoped to issuer at a minimum. Eg ca1 AND subjectcn=foo
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.