[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion

Ade Lee alee at redhat.com
Wed Sep 30 04:17:23 UTC 2015 

ACK on synchronization patch.

On the delete patch, a few comments.

1) It would be good to know what is going on with the exception.

2) The new acls and mappings reminded me that upgrade scripts are
required to allow old 10.x servers to be able to create subcas.  Please
open a ticket if one does not yet exist.

3) It would be good to have a "Are you sure?" dialog on the CLI (with
relevant override option).

4) Please open an auditing ticket if one is not already opened.  We 
   definitely need to be auditing everything here in detail.

5) I have been thinking about ways to restrict delete.  We should 
   discuss and decide on options.  Some ideas:

   a) Add CS.cfg option to disable deletes (for production say).
   b) Add optional field (deletable) to the CA entry.  This can be
      set by the creating admin to be True for test environments or
      cases where we know the environment will be short lived, or
      False for long lived CAs.  Default could be configurable.

      CAs could still be deleted, but only by doing something
      out-of-band --like modifying the db entry using pki-server
      commands or similar.
   c) Requiring CAs to be disabled before deleting them.
   d) Setting a separate ACL for delete, so that it would be easier
      for admins to set special permissions for delete.
   ... others?

Ade
 
On Wed, 2015-09-30 at 01:25 +1000, Fraser Tweedale wrote:
> The attached patches fix some incorrect synchronization of the
> lightweight CAs index (patch 0048) and implement deletion of
> lightweight CAs (patch 0049).
> 
> These patches replace earlier patches 0048 and 0049 which I rescind.
> 
> There is a commented out throw in
> CertificateAuthority.deleteAuthority(); I don't yet understand what
> causes this failure case but a) everything seems to work (at least
> with the small numbers of lightweight CAs I've tested with) and b)
> I'm seeking clarification from NSS experts on the matter, so stay
> tuned.
> 
> Cheers,
> Fraser

More information about the Pki-devel mailing list