Re: [Pki-devel] [PATCH] 66 Added cert revocation CLI.
On 6/8/2012 1:12 PM, Andrew Wnuk wrote:
On 06/07/2012 02:04 PM, Endi Sukma Dewata wrote:
> On 6/7/2012 11:38 AM, Andrew Wnuk wrote:
>> On 06/07/2012 07:28 AM, Endi Sukma Dewata wrote:
>>> The cert revocation CLI provides a tool to revoke and unrevoke
>>> certificates.
>>
>> "unrevoke" is really inappropriate term. It suggests that one could
>> unrevoke any revoked certificate where is fact one can only take off
>> hold certificates that are currently on hold.
>
> How about a "revoke" command for permanent revocation only, and
> separate "on-hold" and "off-hold" commands for temporary
revocation?
> Any suggestions?
>
This is asymmetric case. "on-hold" is just one of many revocation
reasons. Certificate can be taken off hold if it was revoked with
"on-hold" reason. There are only two operations: certificate revocation
and taking certificates off hold.
The original "revoke" operation is partially asymmetric (permanent
revocation) and partially symmetric (temporarily on-hold). It might be
more intuitive to create a new "revoke" command that does asymmetric
operation only (no "unrevoke" operation) and separate "on-hold" and
"off-hold" commands for the symmetric operations.
If we only have "revoke" and "off-hold" only, people might be
thinking,
there's an "off-hold" command, so how do I "hold" a cert? It might
not
be very obvious that the "revoke" command has an "on-hold" option
which
behaves differently from the other revoke reasons.
--
Endi S. Dewata