[PUP-6258] Update Puppet OID lists to add new authorized extensions - Puppet Jira Server

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 4.6.0
Component/s: None
Labels:
None

Epic Link:
Securing SSL Extensions
Sub-team:
- jade
Story Points:
3
Sprint:
Server Jade 2016-05-18, Server Jade 2016-06-01, Server Jade 2016-06-15

Description

The point of this ticket is to define a new OID arc that can be used to guard cert signing in such a way that makes using x509 extensions safe for use in PE tk-auth rules (see ~~SERVER-1305~~ for a more in-depth motivation).

The new arc is puppet.3, short-named ppAuthExt. Two new OIDs will be added: pp_authorization and pp_auth_role.

The former is essentially intended for use as a flag that extensions from other arcs can be trusted on a given certificate. The latter is a convenience extension that duplicates the pp_role extension but with implied authorization.

In Scope

Add new extensions to puppet's oids.rb
Add new extensions to Clojure CA

Out of Scope

Functional changes anywhere
Allowing the ruby CA or the clojure CA to actually respect these certs (that's in ~~PUP-6257~~)

New extensions

1.3.6.1.4.1.34380.1.3.1 pp_authorization
1.3.6.1.4.1.34380.1.3.13 pp_auth_role

Attachments

Issue Links

blocks

PUP-6257 Add --allow-authorization-extensions to puppet cert sign

Closed

SERVER-1307 Clojure CA should refuse to sign any CSRs with authorized extensions

Closed

relates to

PUP-6335 Puppet OID listing should be shareable between Clojure and Ruby code

Closed

Activity

People

Assignee:: Erik Dasher

Reporter:: Nathaniel Smith

QA Contact:: Erik Dasher

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2016/05/02 3:08 PM

Updated:: 2017/04/25 2:25 PM

Resolved:: 2016/06/14 10:42 AM