[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion

Ade Lee alee at redhat.com
Wed Sep 30 19:59:55 UTC 2015 

On Wed, 2015-09-30 at 11:26 -0700, Christina Fu wrote:
See other comments below, but the gist of Christina's comments are:
1.  We need to look up the parent and revoke the subca signing cert.
2.  We need to restrict Delete to Leaf CAs.  So if you have Host CA ->
sub ca1 -> sub ca2 -> subca 3,
     you cannot delete sub CA 1 without deleting subca3 and subca2 (in
that order).
3.  The mothballed state Christina refers to is what we now call the
disabled state.  In this case,
     we should not be able to issue new certs (including subca certs). 
 We should however still be able to
    revoke certs and publish CRLs.
> Hi Fraser,
> 
> Ade caught me on irc for some feedback.  I have not had chance to
> look at your patches, but I did get the gist of the subca delete
> issues from him.
> Two key suggestions I have:
> 1. make sure the action is audited to its parent (audit log
> preserved)
> 2. make sure revocation is taken cared of of the subca's signing cert
> (and therefore invalidating all its signed certs)
>    - and make sure the root CA is never deleted, so that the crls
> could be preserved and referenced to;
>    - and note that ocsp will no longer work for the subca that is
> deleted, as the signing cert is gone for good
> 
> Regarding keeping the root CA, we had discussion on possibly keeping
> it in a "mothballed state"...I'll let Ade add to this.
> 
> thanks,
> Christina
> 
> On 09/30/2015 07:00 AM, Fraser Tweedale wrote:
> > Updated patch attached. Comments inline.
> > 
> > On Wed, Sep 30, 2015 at 06:35:57PM +1000, Fraser Tweedale wrote:
> > > > 3) It would be good to have a "Are you sure?" dialog on the CLI
> > > > (with
> > > > relevant override option).
> > > > 
> > > Will do.
> > > 
> > Done.
> > 
> > > > 5) I have been thinking about ways to restrict delete.  We
> > > > should 
> > > >    discuss and decide on options.  Some ideas:
> > > > 
> > > >    a) Add CS.cfg option to disable deletes (for production
> > > > say).
> > > > 
> > > Disagree; don't want more config in flat files.  Having the knob
> > > in
> > > the database would be better but I prefer a combination of other
> > > options (see below).
> > > 
> > > >    b) Add optional field (deletable) to the CA entry.  This can
> > > > be
> > > >       set by the creating admin to be True for test
> > > > environments or
> > > >       cases where we know the environment will be short lived,
> > > > or
> > > >       False for long lived CAs.  Default could be configurable.
> > > > 
> > > >       CAs could still be deleted, but only by doing something
> > > >       out-of-band --like modifying the db entry using pki
> > > > -server
> > > >       commands or similar.
> > > > 
> > > >    c) Requiring CAs to be disabled before deleting them.
> > > > 
> > > I'm in favour of this.
> > > 
> > > >    d) Setting a separate ACL for delete, so that it would be
> > > > easier
> > > >       for admins to set special permissions for delete.
> > > > 
> > > And in favour of this.
> > > 
> > > >    ... others?
> > > > 
> > > I like (c) plus (d) plus perhaps a pkispawn knob that controls
> > > whether the admin-can-delete ACL gets added at the beginning.
> > > 
> > > Let me know what you think and thanks for your feedback!
> > > 
> > (c) and (d) are implemented in updated patch.  If you agree with
> > (c)
> > plus (d) plus pkispawn knob (I guess we'll call that (e)), I'll
> > file
> > a ticket for (e).
> > 
I'm OK with (c) and (d) and others appear to be too.  Archiving is
difficult because it basically won't work with an HSM.
I suppose this is just equivalent to the controls we have in revoking
the host CA signing cert.
I don't think (e) is needed.
> > Cheers,
> > Fraser
> > 

> > 
> >       
> > 
> >       > > 
> >       
> > 
> >       > > _______________________________________________
> > Pki-devel mailing list
> > 
Pki-devel at redhat.com> > 
https://www.redhat.com/mailman/listinfo/pki-devel
> > 
> >     
> 
>     

  

> _______________________________________________
> Pki-devel mailing list
> 
Pki-devel at redhat.com> 
https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150930/21747aa2/attachment.htm>

More information about the Pki-devel mailing list