[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Nathan Kinder nkinder at redhat.com
Fri Jun 8 23:56:00 UTC 2012 

On 06/08/2012 04:37 PM, Endi Sukma Dewata wrote:
> On 6/8/2012 2:19 PM, Nathan Kinder wrote:
>> On 06/08/2012 12:06 PM, Endi Sukma Dewata wrote:
>>> On 6/8/2012 1:12 PM, Andrew Wnuk wrote:
>>>> On 06/07/2012 02:04 PM, Endi Sukma Dewata wrote:
>>>>> On 6/7/2012 11:38 AM, Andrew Wnuk wrote:
>>>>>> On 06/07/2012 07:28 AM, Endi Sukma Dewata wrote:
>>>>>>> The cert revocation CLI provides a tool to revoke and unrevoke
>>>>>>> certificates.
>>>>>>
>>>>>> "unrevoke" is really inappropriate term. It suggests that one could
>>>>>> unrevoke any revoked certificate where is fact one can only take off
>>>>>> hold certificates that are currently on hold.
>>>>>
>>>>> How about a "revoke" command for permanent revocation only, and
>>>>> separate "on-hold" and "off-hold" commands for temporary revocation?
>>>>> Any suggestions?
>>>>>
>>>> This is asymmetric case. "on-hold" is just one of many revocation
>>>> reasons. Certificate can be taken off hold if it was revoked with
>>>> "on-hold" reason. There are only two operations: certificate 
>>>> revocation
>>>> and taking certificates off hold.
>>>
>>> The original "revoke" operation is partially asymmetric (permanent
>>> revocation) and partially symmetric (temporarily on-hold). It might be
>>> more intuitive to create a new "revoke" command that does asymmetric
>>> operation only (no "unrevoke" operation) and separate "on-hold" and
>>> "off-hold" commands for the symmetric operations.
>>>
>>> If we only have "revoke" and "off-hold" only, people might be
>>> thinking, there's an "off-hold" command, so how do I "hold" a cert? It
>>> might not be very obvious that the "revoke" command has an "on-hold"
>>> option which behaves differently from the other revoke reasons.
>>>
>> I tend to agree from a pure CLI perspective. Behind the scenes,
>> "on-hold" is really a revocation reason, but that doesn't mean we need
>> to make the CLI use the exact same terminology.
>>
>> How about having "revoke", "on-hold", and "off-hold" commands? We can
>> still allow one to use the "revoke" command and specify the revocation
>> reason as on-hold, which would be the equivalent of the "on-hold" 
>> command.
>
> +1
>
> Some other possibilities:
>  - revoke/hold/release
I like this one.  Maybe even "revoke/hold/release-hold"?  Plain 
"release" doesn't seem very descriptive on it's own.  I think 
"release-hold" is more clear.
>  - revoke/suspend/release
>  - revoke/enable/disable
>

More information about the Pki-devel mailing list