You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We do not currently support any way to revoke a certificate before it expires, so a compromised certificate could be abused for a long time. We need to support some way for administrators to revoke a compromised certificate.
The best way to do this is probably to store a CRL in a system table, use gossip to notify all nodes whenever it changes, and have each node mirror the current CRL to its local data directory so the last known CRL will be available on restart.
Note that Go's TLS implementation does not support automatic revocation checking, but I think it gives us the tools to check against a CRL by hand (in the x509 package).
The text was updated successfully, but these errors were encountered:
We do not currently support any way to revoke a certificate before it expires, so a compromised certificate could be abused for a long time. We need to support some way for administrators to revoke a compromised certificate.
The best way to do this is probably to store a CRL in a system table, use gossip to notify all nodes whenever it changes, and have each node mirror the current CRL to its local data directory so the last known CRL will be available on restart.
Note that Go's TLS implementation does not support automatic revocation checking, but I think it gives us the tools to check against a CRL by hand (in the
x509
package).The text was updated successfully, but these errors were encountered: