| commit | 192d3668cb19e074d75c52dead9912425837621d | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Wed, 3 Jul 2013 21:45:48 +0000 (3 14:45 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Wed, 3 Jul 2013 23:43:06 +0000 (3 16:43 -0700) | ||
| tree | 127b7a83301612553628d05ca7a902f839d807d3 | treesnapshot (tar.gz zip) |
| parent | 019f8f34dc71afd39cf8104204b5f92b438b54c8 | commitdiff |
Make user https push certificates revokable
Since users now have a UUID assigned at creation time,
a subca is created for each user which includes this UUID
and the actual push certificates are issued by it.
When a user is removed, the user's subca can be revoked.
If a new user with the same name is added, that user will
have a different UUID and therefore the subca will be
different and not be accidentally considered revoked even
though the prior-user-with-the-same-name's subca has been
revoked.
Certificates are revoked by serial number and making sure
the name is different (by including the UUID) will
guarantee that a new-user-by-the-same-name-as-a-removed-user
will have a subca with a different serial number.
Since users now have a UUID assigned at creation time,
a subca is created for each user which includes this UUID
and the actual push certificates are issued by it.
When a user is removed, the user's subca can be revoked.
If a new user with the same name is added, that user will
have a different UUID and therefore the subca will be
different and not be accidentally considered revoked even
though the prior-user-with-the-same-name's subca has been
revoked.
Certificates are revoked by serial number and making sure
the name is different (by including the UUID) will
guarantee that a new-user-by-the-same-name-as-a-removed-user
will have a subca with a different serial number.
| cgi/usercert.cgi | diffblobblamehistory | |
| ezcert.git | diffblobblamehistory | |
| toolbox/remove-user.sh | diffblobblamehistory |