[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion
Fraser Tweedale
ftweedal at redhat.com
Wed Sep 30 08:35:57 UTC 2015
On Wed, Sep 30, 2015 at 12:17:23AM -0400, Ade Lee wrote:
> ACK on synchronization patch.
>
Thanks, pushed to master (2cc4977).
> On the delete patch, a few comments.
>
> 1) It would be good to know what is going on with the exception.
>
It would. Investigations will continue. As discussed on IRC, *if*
the patch is merged with this wart, I will open a ticket to track.
> 2) The new acls and mappings reminded me that upgrade scripts are
> required to allow old 10.x servers to be able to create subcas. Please
> open a ticket if one does not yet exist.
>
Ticket: https://fedorahosted.org/pki/ticket/1630
> 3) It would be good to have a "Are you sure?" dialog on the CLI (with
> relevant override option).
>
Will do.
> 4) Please open an auditing ticket if one is not already opened. We
> definitely need to be auditing everything here in detail.
>
Ticket: https://fedorahosted.org/pki/ticket/1629
> 5) I have been thinking about ways to restrict delete. We should
> discuss and decide on options. Some ideas:
>
> a) Add CS.cfg option to disable deletes (for production say).
>
Disagree; don't want more config in flat files. Having the knob in
the database would be better but I prefer a combination of other
options (see below).
> b) Add optional field (deletable) to the CA entry. This can be
> set by the creating admin to be True for test environments or
> cases where we know the environment will be short lived, or
> False for long lived CAs. Default could be configurable.
>
> CAs could still be deleted, but only by doing something
> out-of-band --like modifying the db entry using pki-server
> commands or similar.
>
> c) Requiring CAs to be disabled before deleting them.
>
I'm in favour of this.
> d) Setting a separate ACL for delete, so that it would be easier
> for admins to set special permissions for delete.
>
And in favour of this.
> ... others?
>
I like (c) plus (d) plus perhaps a pkispawn knob that controls
whether the admin-can-delete ACL gets added at the beginning.
Let me know what you think and thanks for your feedback!
Fraser
> Ade
>
> On Wed, 2015-09-30 at 01:25 +1000, Fraser Tweedale wrote:
> > The attached patches fix some incorrect synchronization of the
> > lightweight CAs index (patch 0048) and implement deletion of
> > lightweight CAs (patch 0049).
> >
> > These patches replace earlier patches 0048 and 0049 which I rescind.
> >
> > There is a commented out throw in
> > CertificateAuthority.deleteAuthority(); I don't yet understand what
> > causes this failure case but a) everything seems to work (at least
> > with the small numbers of lightweight CAs I've tested with) and b)
> > I'm seeking clarification from NSS experts on the matter, so stay
> > tuned.
> >
> > Cheers,
> > Fraser
More information about the Pki-devel
mailing list