Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI - Add not_after=forbid value #489

Open
cipherboy opened this issue Aug 24, 2024 · 4 comments
Open

PKI - Add not_after=forbid value #489

cipherboy opened this issue Aug 24, 2024 · 4 comments
Assignees
@Nerkho
Labels
feature New feature or request good first issue Good for newcomers help wanted Extra attention is needed secrets/pki Related to the pki secrets engine

Comments

@cipherboy
Copy link
Member

cipherboy commented Aug 24, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

not_after can be overridden by the signing API, up to the duration of the intermediate CA's lifetime.

Describe the solution you'd like

For operators who want to strictly bind issuance to ttl and not allow callers to set not_after, we should allow a not_after=forbid value. This would prevent cert_util.go from reading not_after from the request parameter, potentially erring out if provided.

Describe alternatives you've considered

An alternative design that could be useful would be a not_after_bound API that takes one of three values:

  1. forbid,
  2. ttl-limited (to allow precise control of not_after within the bounds of ttl,
  3. An explicit maximum timestamp, useful for when not_after_behavior=permit (e.g. on root->leaf simple CAs).

This would be more flexible, but the question remains whether either of the two additional limits would be worthwhile. The answer is probably yes, so perhaps switching not_after to be strictly a time.Time typed field could be worthwhile.

Explain any additional use-cases

n/a

Additional context

I noticed this while looking through review of #487 to ensure we had rough parity. PKI allows control of not_after by the user as well as the role, but in SSH we only allow the role to control this value.

Strictly, changing not_after=forbid would be the safest option for PKI, but this would likely break existing integrations.
@cipherboy cipherboy added the feature New feature or request label Aug 24, 2024
@cipherboy cipherboy mentioned this issue Aug 24, 2024
Closed
@cipherboy cipherboy added good first issue Good for newcomers help wanted Extra attention is needed labels Aug 24, 2024
@Nerkho
Copy link
Contributor

Nerkho commented Sep 5, 2024

I believe I might also be able to tackle this one.

@cipherboy cipherboy added the secrets/pki Related to the pki secrets engine label Sep 7, 2024
@cipherboy
Copy link
Member Author

cipherboy commented Sep 12, 2024
edited
Loading

@Nerkho I think I like the alternative design now (not_after_bound), tbh, as it is more expressive -- I'd suggest also adding not_before_bound as well to match #515! :-)

@cipherboy
Copy link
Member Author

\o hey @Nerkho -- still interested in working on this? :-)

@Nerkho
Copy link
Contributor

Nerkho commented Oct 13, 2024

\o hey @Nerkho -- still interested in working on this? :-)

Yes, sorry. I hadn't much time lately to work on this. If someone wants to work on it, feel free to reassign. Otherwise, I'll get to it when I find some time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nerkho Nerkho

Labels
feature New feature or request good first issue Good for newcomers help wanted Extra attention is needed secrets/pki Related to the pki secrets engine
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cipherboy @Nerkho