On Pá, 2016-06-03 at 15:06 +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2016-06-03 at 14:30 +0200, Tomas Mraz wrote:
>
> >
> > >
> > > Sorry, I didn't realize that my question was worded ambiguously.
> > >
> > > Let me rephrase it: Is it possible to express that only the Red
> > > Hat
> > > internal CA may issue certificates under *.corp.redhat.com, and
> > > no
> > > other
> > > CAs may issue certificates for this subtree?
> > Not in the terms of stapled extensions - as the extensions would
> > have
> > to be stapled onto some concrete certificates. You would have to
> > basically create stapled extensions for every CA in your trusted
> > list
> > except for the Red Hat internal CA. And if any additional CA is
> > added
> > to the trusted list, it would have to get this stapled extension
> > too.
> Well you could do that by stapling every other certificate than Red
> Hat's with corp.redhat.com being on the excluded subtrees.
Yes, that's what I wrote above however that would not be very practical
as you would have to monitor the trusted list for additions and staple
them too once they are added.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
