Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

registry: avoid storing full tls certificates #2556

Closed
ptrus opened this issue Jan 15, 2020 · 2 comments · Fixed by #2914
Closed

registry: avoid storing full tls certificates #2556

ptrus opened this issue Jan 15, 2020 · 2 comments · Fixed by #2914
Assignees
@kostko
Labels
c:breaking/consensus Category: breaking consensus changes c:registry Category: entity/node/runtime registry service

Comments

@ptrus
Copy link
Member

ptrus commented Jan 15, 2020

Currently we store whole certificates in registry, during #2475 an idea came up that we could potentially only store certificate hashes:

...But I guess the ony way to avoid it would be to completely override how TLS authentication is performed so that only certificate hashes would be compared ...

Taken from: #2475 (comment)

Should probably at least evaluate the approach.
@ptrus ptrus added c:registry Category: entity/node/runtime registry service c:breaking/consensus Category: breaking consensus changes labels Jan 15, 2020
@kostko kostko mentioned this issue Jan 16, 2020
Merged
1 task
@kostko
Copy link
Member

kostko commented Apr 8, 2020

With google.golang.org/grpc/security/advancedtls (see #2822) being a thing, this should be easy to do.

@kostko
Copy link
Member

kostko commented Apr 30, 2020

Instead of comparing certificate hashes we could just verify Ed25519 public keys. This would also simplify configuring certificates via the CLI/config as a public key is small compared to a certificate.

@kostko kostko self-assigned this May 14, 2020
@kostko kostko mentioned this issue May 15, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kostko kostko

Labels
c:breaking/consensus Category: breaking consensus changes c:registry Category: entity/node/runtime registry service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

go/registry: Avoid storing full TLS certificates oasisprotocol/oasis-core
2 participants
@kostko @ptrus