Hi all,
Currently the ExtendedKeyUsageExtDefault unconditionally sets the
EKU info for the certificate according to its configuration. If an
EKU extension is present in a signing request, it gets clobbered.
This is apparently a cause for confusion (see
https://fedorahosted.org/freeipa/ticket/2915), but because the
policy default is always paired with a policy constraint, it is
possible to copy the EKU from the request and allow the constraint
to reject unacceptable values.
Implementing this behaviour seems reasonable to me (and it would
resolve the above ticket) but I only have a newcomer's view of the
profiles system. Perhaps "multitude of profiles" is preferred over
"versatile profiles", or things must remain as they are for other
reasons. I appreciate your input!
(A side note: There are several profiles that use NoConstraint with
ExtendedKeyUsageExtDefault; to preserve existing behaviour, these
would have to be changed to use ExtendedKeyUsageExtConstraint,
configured to match the default).
Cheers,
Fraser