Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Support certificate revocation #6263

Closed
bdarnell opened this issue Apr 23, 2016 · 1 comment
Closed

security: Support certificate revocation #6263

bdarnell opened this issue Apr 23, 2016 · 1 comment
Milestone
Later

Comments

@bdarnell
Copy link
Contributor

We do not currently support any way to revoke a certificate before it expires, so a compromised certificate could be abused for a long time. We need to support some way for administrators to revoke a compromised certificate.

The best way to do this is probably to store a CRL in a system table, use gossip to notify all nodes whenever it changes, and have each node mirror the current CRL to its local data directory so the last known CRL will be available on restart.

Note that Go's TLS implementation does not support automatic revocation checking, but I think it gives us the tools to check against a CRL by hand (in the x509 package).
@petermattis petermattis added this to the Later milestone Feb 22, 2017
@knz knz mentioned this issue Mar 13, 2017
Closed
@mberhault
Copy link
Contributor

part of #1674, although may be post 1.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Later
Development

No branches or pull requests
3 participants
@bdarnell @mberhault @petermattis