[Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement deletion

John Magne jmagne at redhat.com
Wed Sep 30 17:36:13 UTC 2015 




----- Original Message -----
> From: "Ade Lee" <alee at redhat.com>
> To: "Fraser Tweedale" <ftweedal at redhat.com>, pki-devel at redhat.com
> Sent: Tuesday, September 29, 2015 9:17:23 PM
> Subject: Re: [Pki-devel] [PATCH] 0048-0049 Lightweight CAs: implement	deletion
> 
> ACK on synchronization patch.
> 
> On the delete patch, a few comments.
> 
> 1) It would be good to know what is going on with the exception.
> 
> 2) The new acls and mappings reminded me that upgrade scripts are
> required to allow old 10.x servers to be able to create subcas.  Please
> open a ticket if one does not yet exist.
> 
> 3) It would be good to have a "Are you sure?" dialog on the CLI (with
> relevant override option).
> 
> 4) Please open an auditing ticket if one is not already opened.  We
>    definitely need to be auditing everything here in detail.
> 

Couple more:

- Would it make sense to allow all in progress requests to finish before detonation?
- What about a reversible delete where everything gets archived like when one deletes
a program off of a DVR which can be recovered later.


> 5) I have been thinking about ways to restrict delete.  We should
>    discuss and decide on options.  Some ideas:
> 
>    a) Add CS.cfg option to disable deletes (for production say).
>    b) Add optional field (deletable) to the CA entry.  This can be
>       set by the creating admin to be True for test environments or
>       cases where we know the environment will be short lived, or
>       False for long lived CAs.  Default could be configurable.
> 
>       CAs could still be deleted, but only by doing something
>       out-of-band --like modifying the db entry using pki-server
>       commands or similar.
>    c) Requiring CAs to be disabled before deleting them.
>    d) Setting a separate ACL for delete, so that it would be easier
>       for admins to set special permissions for delete.
>    ... others?
> 
> Ade
>  
> On Wed, 2015-09-30 at 01:25 +1000, Fraser Tweedale wrote:
> > The attached patches fix some incorrect synchronization of the
> > lightweight CAs index (patch 0048) and implement deletion of
> > lightweight CAs (patch 0049).
> > 
> > These patches replace earlier patches 0048 and 0049 which I rescind.
> > 
> > There is a commented out throw in
> > CertificateAuthority.deleteAuthority(); I don't yet understand what
> > causes this failure case but a) everything seems to work (at least
> > with the small numbers of lightweight CAs I've tested with) and b)
> > I'm seeking clarification from NSS experts on the matter, so stay
> > tuned.
> > 
> > Cheers,
> > Fraser
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>

More information about the Pki-devel mailing list