Alexander Scheel
Alexander Scheel
@ralfhauser Have you seen the [alternative `X500Name` constructor](https://javadoc.io/doc/org.bouncycastle/bcprov-jdk15on/latest/org/bouncycastle/asn1/x500/X500Name.html#X500Name-org.bouncycastle.asn1.x500.X500NameStyle-java.lang.String-)? > ```java > public X500Name(X500NameStyle style, > java.lang.String dirName) > ``` This would let you parse DQNs directly in this format: https://github.com/bcgit/bc-java/blob/5b1360854d85fd27b75720015be68f9e172db013/core/src/test/java/org/bouncycastle/asn1/test/X500NameTest.java#L60...
@ralfhauser Perhaps @dghgit can weigh in... My understanding is a style class allows for overriding our understanding/parsing of string attributes into proper RDN sequences. You might prefer `DNQ=` in the...
@UXabre I think Nick had mentioned on the extra ref that you could tie this to an entity and add entity metadata that supports templating, today, iirc. With Vault this...
@UXabre Apologies for the delay in getting back to you. I'd be curious to see the patch you have in mind. But I will note that we don't have a...
Hey @jmls -- to clarify, this has to do with the use of metadata from the OpenBao token in the ACL (or PKI) templating. There, you have to know exactly...
@mikebell90 Do you mind expanding on what your threat model might be? The issue I have, conceptually, with my understanding of this is, suppose an attacker compromises a credential of...
@mikebell90 Hmm... I agree with the premise of this (and thanks for explaining the shortcomings!), but I'm still rather convinced you want some upper bound on the validity period of...
\o Hey @mikebell90, sorry for the delay. I see the value, but still maintain it isn't optimal. If you want this, we can consider reviewing a PR. I'd be curious...
@lplazas I think a great place to start would be the PKI engine. While large, I think the changeset should mostly be limited to https://github.com/openbao/openbao/blob/main/builtin/logical/pki/path_tidy.go :-)
\o hey @lplazas! As a FYI, I'm tackling the ones in the PKI engine ahead of GA, but let me know if you're not interested in this any more and...