You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should consider making commands like step certificate key, step crypto jwe encrypt --key, and step crypto jwt verify --key that take an X.509 certificate also verify that certificate before use. For the latter two commands we may also want to check the key use attribute(s) in the certificate and ensure they're appropriate for the command being run.
This seems like the right default in terms of safety/misuse prevention, although the risk of serious danger seems minimal (particular for the key use bit). The downside is that it will add more complexity: we'll probably need to add --root(s) and --insecure flags to set the CA cert and disable verification, respectively. We'd probably also need --subtle to disable the key use check. And I'm pretty sure our CA doesn't include the necessary key use(s) for these operations in leaf certificates. All of this could confuse users.
I'm not sure what the right answer is, but wanted to capture some thoughts for now.
The text was updated successfully, but these errors were encountered:
We should consider making commands like
step certificate key
,step crypto jwe encrypt --key
, andstep crypto jwt verify --key
that take an X.509 certificate also verify that certificate before use. For the latter two commands we may also want to check the key use attribute(s) in the certificate and ensure they're appropriate for the command being run.This seems like the right default in terms of safety/misuse prevention, although the risk of serious danger seems minimal (particular for the key use bit). The downside is that it will add more complexity: we'll probably need to add
--root(s)
and--insecure
flags to set the CA cert and disable verification, respectively. We'd probably also need--subtle
to disable the key use check. And I'm pretty sure our CA doesn't include the necessary key use(s) for these operations in leaf certificates. All of this could confuse users.I'm not sure what the right answer is, but wanted to capture some thoughts for now.
The text was updated successfully, but these errors were encountered: