Re: [Pki-devel] [PATCH] 66 Added cert revocation CLI.
On 06/08/2012 04:56 PM, Nathan Kinder wrote:
On 06/08/2012 04:37 PM, Endi Sukma Dewata wrote:
> On 6/8/2012 2:19 PM, Nathan Kinder wrote:
>> On 06/08/2012 12:06 PM, Endi Sukma Dewata wrote:
>>> On 6/8/2012 1:12 PM, Andrew Wnuk wrote:
>>>> On 06/07/2012 02:04 PM, Endi Sukma Dewata wrote:
>>>>> On 6/7/2012 11:38 AM, Andrew Wnuk wrote:
>>>>>> On 06/07/2012 07:28 AM, Endi Sukma Dewata wrote:
>>>>>>> The cert revocation CLI provides a tool to revoke and
unrevoke
>>>>>>> certificates.
>>>>>>
>>>>>> "unrevoke" is really inappropriate term. It suggests
that one could
>>>>>> unrevoke any revoked certificate where is fact one can only take
>>>>>> off
>>>>>> hold certificates that are currently on hold.
>>>>>
>>>>> How about a "revoke" command for permanent revocation only,
and
>>>>> separate "on-hold" and "off-hold" commands for
temporary revocation?
>>>>> Any suggestions?
>>>>>
>>>> This is asymmetric case. "on-hold" is just one of many
revocation
>>>> reasons. Certificate can be taken off hold if it was revoked with
>>>> "on-hold" reason. There are only two operations: certificate
>>>> revocation
>>>> and taking certificates off hold.
>>>
>>> The original "revoke" operation is partially asymmetric (permanent
>>> revocation) and partially symmetric (temporarily on-hold). It might be
>>> more intuitive to create a new "revoke" command that does
asymmetric
>>> operation only (no "unrevoke" operation) and separate
"on-hold" and
>>> "off-hold" commands for the symmetric operations.
>>>
>>> If we only have "revoke" and "off-hold" only, people
might be
>>> thinking, there's an "off-hold" command, so how do I
"hold" a cert? It
>>> might not be very obvious that the "revoke" command has an
"on-hold"
>>> option which behaves differently from the other revoke reasons.
>>>
>> I tend to agree from a pure CLI perspective. Behind the scenes,
>> "on-hold" is really a revocation reason, but that doesn't mean we
need
>> to make the CLI use the exact same terminology.
>>
>> How about having "revoke", "on-hold", and
"off-hold" commands? We can
>> still allow one to use the "revoke" command and specify the revocation
>> reason as on-hold, which would be the equivalent of the "on-hold"
>> command.
>
> +1
>
> Some other possibilities:
> - revoke/hold/release
I like this one. Maybe even "revoke/hold/release-hold"? Plain
"release" doesn't seem very descriptive on it's own. I think
"release-hold" is more clear.
> - revoke/suspend/release
> - revoke/enable/disable
>
"on-hold" and "off-hold" are just two revocation reason values.
Official
standard names and values are certificateHold (6) and removeFromCRL (8),
so I am fine with additional helper functions/commands (for hold and
release/remove) as long as revocation will support all standard values
for reason parameter including "certificateHold" and "removeFromCRL".
CA provides two step revocation to avoid accidental revocation of
incorrect certificates. This is important since revocation operation is
irreversible (with one exception) and it is specially important to avoid
accidental revocation of CA certificate.
I do hope that CLI interface provides secure two step revocation
including protection against accidental revocation of CA certificate.
Andrew