The point of this ticket is to define a new OID arc that can be used to guard cert signing in such a way that makes using x509 extensions safe for use in PE tk-auth rules (see
SERVER-1305 for a more in-depth motivation).
The new arc is puppet.3, short-named ppAuthExt. Two new OIDs will be added: pp_authorization and pp_auth_role.
The former is essentially intended for use as a flag that extensions from other arcs can be trusted on a given certificate. The latter is a convenience extension that duplicates the pp_role extension but with implied authorization.
- Add new extensions to puppet's oids.rb
- Add new extensions to Clojure CA
Out of Scope
- Functional changes anywhere
- Allowing the ruby CA or the clojure CA to actually respect these certs (that's in