Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2231

Publish an infrastructure only CRL in addition to the full CRL

    Details

    • Template:
    • Acceptance Criteria:
      Hide

      CA publishes an additional infrastructure CRL that will only contain master of master and compile master certificates.
      Agent requests for CRL, over existing API, should be satisfied using this CRL.
      Full CRL should continue to include all revoked certificates and be used by any infrastructure nodes (compile masters) using the existing 'file-sync' mechanism.

      Show
      CA publishes an additional infrastructure CRL that will only contain master of master and compile master certificates. Agent requests for CRL, over existing API, should be satisfied using this CRL. Full CRL should continue to include all revoked certificates and be used by any infrastructure nodes (compile masters) using the existing 'file-sync' mechanism.
    • Team:
      Server
    • Release Notes:
      New Feature
    • Release Notes Summary:
      A list of certs that, when revoked, should be added to a separate CRL (useful for specifying special nodes in your infrastructure like compile masters). Whether this special CRL or the default CRL is distributed to agents is configurable.
    • QA Risk Assessment:
      Needs Assessment

      Description

      *Puppet Version:6.x
      *Puppet Server Version: 6.x?
      *OS Name/Version: n/a

      Background: In our current implementation the CRL validity is set to 5 years. This effectively nullifies revocation checking of any ‘server’ certificates by agent nodes. This issue does not quite affect MoM and any of the compile masters because everytime a new CRL is published it is available/updated locally on MoM and replicated to compile masters using a ‘file-sync’ mechanism.
      While agent nodes not doing revocation checking of servers or compile masters is less of a risk than the other way round it still is an issue. Throughout we strive to ensure all SSL endpoints do the appropriate checking to protect themselves against rogue peers or from any active man in the middle attempts. Agent typically runs in privileged mode and trust all content (and commands) from servers - generalized to mean any services on MoM and compile masters. Hence it is important to plug this potential vulnerability.

      One of the concerns with publishing shorter validity CRL or letting agents fetch a CRL any time it is updated is the increased demands on bandwidth, particularly in environments where CRL can grow significantly large. While a shorter validity CRL may not necessarily address requirements of using the most up to date revocation status in certain high security or compliance environments it is a step in right direction short of implementing OCSP.

      Proposal:
      Publish a CRL containing only MoM and compile master certificates. Agent CRL requests be satisfied with this CRL. This assumes compile masters, with puppet agents, do not use the same mechanism to request CRLs and continue to get/use the ‘full’ CRL.
      With the CRL size in check, it should allow us to publish CRL with shorter validity and/or allowing agents to fetch a new one every time it is published.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jayant.sane Jayant Sane
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: