Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6258

Update Puppet OID lists to add new authorized extensions

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.6.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Sub-team:
    • Story Points:
      3
    • Sprint:
      Server Jade 2016-05-18, Server Jade 2016-06-01, Server Jade 2016-06-15

      Description

      The point of this ticket is to define a new OID arc that can be used to guard cert signing in such a way that makes using x509 extensions safe for use in PE tk-auth rules (see SERVER-1305 for a more in-depth motivation).

      The new arc is puppet.3, short-named ppAuthExt. Two new OIDs will be added: pp_authorization and pp_auth_role.

      The former is essentially intended for use as a flag that extensions from other arcs can be trusted on a given certificate. The latter is a convenience extension that duplicates the pp_role extension but with implied authorization.

      In Scope

      • Add new extensions to puppet's oids.rb
      • Add new extensions to Clojure CA

      Out of Scope

      • Functional changes anywhere
      • Allowing the ruby CA or the clojure CA to actually respect these certs (that's in PUP-6257)

      New extensions

      1.3.6.1.4.1.34380.1.3.1 pp_authorization
      1.3.6.1.4.1.34380.1.3.13 pp_auth_role

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              erik Erik Dasher
              Reporter:
              nathaniel Nathaniel Smith
              QA Contact:
              Erik Dasher
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support