[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion
John Magne
jmagne at redhat.com
Wed Sep 30 17:36:13 UTC 2015
----- Original Message -----
> From: "Ade Lee" <alee at redhat.com>
> To: "Fraser Tweedale" <ftweedal at redhat.com>, pki-devel at redhat.com
> Sent: Tuesday, September 29, 2015 9:17:23 PM
> Subject: Re: [Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion
>
> ACK on synchronization patch.
>
> On the delete patch, a few comments.
>
> 1) It would be good to know what is going on with the exception.
>
> 2) The new acls and mappings reminded me that upgrade scripts are
> required to allow old 10.x servers to be able to create subcas. Please
> open a ticket if one does not yet exist.
>
> 3) It would be good to have a "Are you sure?" dialog on the CLI (with
> relevant override option).
>
> 4) Please open an auditing ticket if one is not already opened. We
> definitely need to be auditing everything here in detail.
>
Couple more:
- Would it make sense to allow all in progress requests to finish before detonation?
- What about a reversible delete where everything gets archived like when one deletes
a program off of a DVR which can be recovered later.
> 5) I have been thinking about ways to restrict delete. We should
> discuss and decide on options. Some ideas:
>
> a) Add CS.cfg option to disable deletes (for production say).
> b) Add optional field (deletable) to the CA entry. This can be
> set by the creating admin to be True for test environments or
> cases where we know the environment will be short lived, or
> False for long lived CAs. Default could be configurable.
>
> CAs could still be deleted, but only by doing something
> out-of-band --like modifying the db entry using pki-server
> commands or similar.
> c) Requiring CAs to be disabled before deleting them.
> d) Setting a separate ACL for delete, so that it would be easier
> for admins to set special permissions for delete.
> ... others?
>
> Ade
>
> On Wed, 2015-09-30 at 01:25 +1000, Fraser Tweedale wrote:
> > The attached patches fix some incorrect synchronization of the
> > lightweight CAs index (patch 0048) and implement deletion of
> > lightweight CAs (patch 0049).
> >
> > These patches replace earlier patches 0048 and 0049 which I rescind.
> >
> > There is a commented out throw in
> > CertificateAuthority.deleteAuthority(); I don't yet understand what
> > causes this failure case but a) everything seems to work (at least
> > with the small numbers of lightweight CAs I've tested with) and b)
> > I'm seeking clarification from NSS experts on the matter, so stay
> > tuned.
> >
> > Cheers,
> > Fraser
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
More information about the Pki-devel
mailing list