- Support a new flag in the "puppet cert sign" tool, "--allow-authorization-extensions"
- Determine if a cert given to "puppet cert sign" has any extensions under the puppet.1.3 OID arc
- Fail the signing unless the --allow-authorization-extensions flag is present
- Audit the cert-related tools in puppet to see if any need to be updated with respect to this work; ca, certificate, certificate-request, certificate-revocation-list. Hopefully they don't need to be updated.
- Update the internal signing policy in the ruby CA code to allow the new puppet.3 arc (in certificate_authority.rb:323 in puppet)
Out of Scope
- Worrying about any extensions other than those under puppet.1.3