[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion

Fraser Tweedale ftweedal at redhat.com
Wed Sep 30 08:35:57 UTC 2015 

On Wed, Sep 30, 2015 at 12:17:23AM -0400, Ade Lee wrote:
> ACK on synchronization patch.
> 
Thanks, pushed to master (2cc4977).

> On the delete patch, a few comments.
> 
> 1) It would be good to know what is going on with the exception.
> 
It would.  Investigations will continue.  As discussed on IRC, *if*
the patch is merged with this wart, I will open a ticket to track.

> 2) The new acls and mappings reminded me that upgrade scripts are
> required to allow old 10.x servers to be able to create subcas.  Please
> open a ticket if one does not yet exist.
> 
Ticket: https://fedorahosted.org/pki/ticket/1630

> 3) It would be good to have a "Are you sure?" dialog on the CLI (with
> relevant override option).
> 
Will do.

> 4) Please open an auditing ticket if one is not already opened.  We 
>    definitely need to be auditing everything here in detail.
> 
Ticket: https://fedorahosted.org/pki/ticket/1629

> 5) I have been thinking about ways to restrict delete.  We should 
>    discuss and decide on options.  Some ideas:
> 
>    a) Add CS.cfg option to disable deletes (for production say).
>
Disagree; don't want more config in flat files.  Having the knob in
the database would be better but I prefer a combination of other
options (see below).

>    b) Add optional field (deletable) to the CA entry.  This can be
>       set by the creating admin to be True for test environments or
>       cases where we know the environment will be short lived, or
>       False for long lived CAs.  Default could be configurable.
> 
>       CAs could still be deleted, but only by doing something
>       out-of-band --like modifying the db entry using pki-server
>       commands or similar.
>
>    c) Requiring CAs to be disabled before deleting them.
>
I'm in favour of this.

>    d) Setting a separate ACL for delete, so that it would be easier
>       for admins to set special permissions for delete.
>
And in favour of this.

>    ... others?
> 
I like (c) plus (d) plus perhaps a pkispawn knob that controls
whether the admin-can-delete ACL gets added at the beginning.

Let me know what you think and thanks for your feedback!
Fraser

> Ade
>  
> On Wed, 2015-09-30 at 01:25 +1000, Fraser Tweedale wrote:
> > The attached patches fix some incorrect synchronization of the
> > lightweight CAs index (patch 0048) and implement deletion of
> > lightweight CAs (patch 0049).
> > 
> > These patches replace earlier patches 0048 and 0049 which I rescind.
> > 
> > There is a commented out throw in
> > CertificateAuthority.deleteAuthority(); I don't yet understand what
> > causes this failure case but a) everything seems to work (at least
> > with the small numbers of lightweight CAs I've tested with) and b)
> > I'm seeking clarification from NSS experts on the matter, so stay
> > tuned.
> > 
> > Cheers,
> > Fraser

More information about the Pki-devel mailing list