[Pki-devel] [PATCH] 66 Added cert revocation CLI.
Endi Sukma Dewata
edewata at redhat.com
Mon Jun 11 22:54:15 UTC 2012
On 6/10/2012 4:55 PM, Andrew Wnuk wrote:
> On 06/08/2012 04:56 PM, Nathan Kinder wrote:
>>> - revoke/hold/release
>> I like this one. Maybe even "revoke/hold/release-hold"? Plain
>> "release" doesn't seem very descriptive on it's own. I think
>> "release-hold" is more clear.
Sounds good. I'll change that in the next patch revision.
> "on-hold" and "off-hold" are just two revocation reason values. Official
> standard names and values are certificateHold (6) and removeFromCRL (8),
> so I am fine with additional helper functions/commands (for hold and
> release/remove) as long as revocation will support all standard values
> for reason parameter including "certificateHold" and "removeFromCRL".
>
> CA provides two step revocation to avoid accidental revocation of
> incorrect certificates. This is important since revocation operation is
> irreversible (with one exception) and it is specially important to avoid
> accidental revocation of CA certificate.
Do you mean the CA Web UI? In the UI you'd have to go through several
pages to find & select the certs and enter the revocation
date/reason/comments, but you can still change the inputs in the last
(confirmation) page, and once you click Submit the certificate will be
revoked immediately, so basically it's still a single step operation.
Usually a confirmation page shouldn't allow any input change without
navigating to another page first.
> I do hope that CLI interface provides secure two step revocation
> including protection against accidental revocation of CA certificate.
I can change the CLI to ask for a confirmation before executing the
operation like this:
% pki cert-revoke 0x8 --reason=KEY_COMPROMISE
Revoking certificate "0x8".
Are you sure (Y/N)? Y
-------------------------
Revoked certificate "0x8"
-------------------------
And for automation/scripting you can suppress the confirmation:
% pki cert-revoke 0x8 --reason=KEY_COMPROMISE --force
-------------------------
Revoked certificate "0x8"
-------------------------
Is this ok? How about the other add/mod/delete commands, should we
confirm each operation that changes the database?
--
Endi S. Dewata
More information about the Pki-devel
mailing list