[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Andrew Wnuk awnuk at redhat.com
Sun Jun 10 21:55:21 UTC 2012 

On 06/08/2012 04:56 PM, Nathan Kinder wrote:
> On 06/08/2012 04:37 PM, Endi Sukma Dewata wrote:
>> On 6/8/2012 2:19 PM, Nathan Kinder wrote:
>>> On 06/08/2012 12:06 PM, Endi Sukma Dewata wrote:
>>>> On 6/8/2012 1:12 PM, Andrew Wnuk wrote:
>>>>> On 06/07/2012 02:04 PM, Endi Sukma Dewata wrote:
>>>>>> On 6/7/2012 11:38 AM, Andrew Wnuk wrote:
>>>>>>> On 06/07/2012 07:28 AM, Endi Sukma Dewata wrote:
>>>>>>>> The cert revocation CLI provides a tool to revoke and unrevoke
>>>>>>>> certificates.
>>>>>>>
>>>>>>> "unrevoke" is really inappropriate term. It suggests that one could
>>>>>>> unrevoke any revoked certificate where is fact one can only take 
>>>>>>> off
>>>>>>> hold certificates that are currently on hold.
>>>>>>
>>>>>> How about a "revoke" command for permanent revocation only, and
>>>>>> separate "on-hold" and "off-hold" commands for temporary revocation?
>>>>>> Any suggestions?
>>>>>>
>>>>> This is asymmetric case. "on-hold" is just one of many revocation
>>>>> reasons. Certificate can be taken off hold if it was revoked with
>>>>> "on-hold" reason. There are only two operations: certificate 
>>>>> revocation
>>>>> and taking certificates off hold.
>>>>
>>>> The original "revoke" operation is partially asymmetric (permanent
>>>> revocation) and partially symmetric (temporarily on-hold). It might be
>>>> more intuitive to create a new "revoke" command that does asymmetric
>>>> operation only (no "unrevoke" operation) and separate "on-hold" and
>>>> "off-hold" commands for the symmetric operations.
>>>>
>>>> If we only have "revoke" and "off-hold" only, people might be
>>>> thinking, there's an "off-hold" command, so how do I "hold" a cert? It
>>>> might not be very obvious that the "revoke" command has an "on-hold"
>>>> option which behaves differently from the other revoke reasons.
>>>>
>>> I tend to agree from a pure CLI perspective. Behind the scenes,
>>> "on-hold" is really a revocation reason, but that doesn't mean we need
>>> to make the CLI use the exact same terminology.
>>>
>>> How about having "revoke", "on-hold", and "off-hold" commands? We can
>>> still allow one to use the "revoke" command and specify the revocation
>>> reason as on-hold, which would be the equivalent of the "on-hold" 
>>> command.
>>
>> +1
>>
>> Some other possibilities:
>>  - revoke/hold/release
> I like this one.  Maybe even "revoke/hold/release-hold"?  Plain 
> "release" doesn't seem very descriptive on it's own.  I think 
> "release-hold" is more clear.
>>  - revoke/suspend/release
>>  - revoke/enable/disable
>>
>
"on-hold" and "off-hold" are just two revocation reason values. Official 
standard names and values are certificateHold (6) and removeFromCRL (8), 
so I am fine with additional helper functions/commands (for hold and 
release/remove) as long as revocation will support all standard values 
for reason parameter including "certificateHold" and "removeFromCRL".

CA provides two step revocation to avoid accidental revocation of 
incorrect certificates. This is important since revocation operation is 
irreversible (with one exception) and it is specially important to avoid 
accidental revocation of CA certificate.

I do hope that CLI interface provides secure two step revocation 
including protection against accidental revocation of CA certificate.

Andrew

More information about the Pki-devel mailing list