Re: [Pki-devel] [PATCH] 66 Added cert revocation CLI.
On 6/10/2012 4:55 PM, Andrew Wnuk wrote:
On 06/08/2012 04:56 PM, Nathan Kinder wrote:
>> - revoke/hold/release
> I like this one. Maybe even "revoke/hold/release-hold"? Plain
> "release" doesn't seem very descriptive on it's own. I think
> "release-hold" is more clear.
Sounds good. I'll change that in the next patch revision.
"on-hold" and "off-hold" are just two revocation
reason values. Official
standard names and values are certificateHold (6) and removeFromCRL (8),
so I am fine with additional helper functions/commands (for hold and
release/remove) as long as revocation will support all standard values
for reason parameter including "certificateHold" and
"removeFromCRL".
CA provides two step revocation to avoid accidental revocation of
incorrect certificates. This is important since revocation operation is
irreversible (with one exception) and it is specially important to avoid
accidental revocation of CA certificate.
Do you mean the CA Web UI? In the UI you'd have to go through several
pages to find & select the certs and enter the revocation
date/reason/comments, but you can still change the inputs in the last
(confirmation) page, and once you click Submit the certificate will be
revoked immediately, so basically it's still a single step operation.
Usually a confirmation page shouldn't allow any input change without
navigating to another page first.
I do hope that CLI interface provides secure two step revocation
including protection against accidental revocation of CA certificate.
I can change the CLI to ask for a confirmation before executing the
operation like this:
% pki cert-revoke 0x8 --reason=KEY_COMPROMISE
Revoking certificate "0x8".
Are you sure (Y/N)? Y
-------------------------
Revoked certificate "0x8"
-------------------------
And for automation/scripting you can suppress the confirmation:
% pki cert-revoke 0x8 --reason=KEY_COMPROMISE --force
-------------------------
Revoked certificate "0x8"
-------------------------
Is this ok? How about the other add/mod/delete commands, should we
confirm each operation that changes the database?
--
Endi S. Dewata