Details
-
Epic
-
Status: Closed
-
Normal
-
Resolution: Done
-
None
-
None
Description
Provide a clean mechanism for setting certificate extensions to be used for cert-based authorizations (e.g. in TK-293). This mechanism needs to be different from our existing certificate extensions due to the need to prevent authorization-granting certificates from being accidentally signed.
The logical way to do this is to create a new OID arc specifically for authorization-granting extensions.
Our root OID is 1.3.6.1.4.1.34380 for "puppetlabs". We then have:
puppetlabs.1: "Puppet Certificate Extension"
|
puppetlabs.1.1: "Puppet Registered Certificate Extension" (ppRegCertExt)
|
puppetlabs.1.2: "Puppet Private Certificate Extension" (ppPrivCertExt)
|
See details here.
Our CA will currently ONLY accept extension requests if they are under one of the existing ppRegCertExt or ppPrivCertExt OIDs. See the ruby code and the clojure code.
To implement "authorization" certificate extensions, we could define another OID arc under puppetlabs.1. For example, we could define:
puppetlabs.1.3: "Puppet Authorization Certificate Extension" (ppAuthCertExt)
|
Because any extensions under this OID are flatline rejected today, we have full control over how we implement the methodology for accepting them. We could require on the command line something like:
puppet cert sign --allow-authorization-extensions
|
Attachments
Issue Links
- mentioned in
-
Page Loading...