boulder

History

Aaron Gable 07d56e3772 Add new, simpler revocation methods to RA (#5969 ) Add two new gRPC methods to the SA: - `RevokeCertByKey` will be used when the API request was signed by the certificate's keypair, rather than a Subscriber keypair. If the request is for reason `keyCompromise`, it will ensure that the key is added to the blocked keys table, and will attempt to "re-revoke" a certificate that was already revoked for some other reason. - `RevokeCertByApplicant` supports both the path where the original subscriber or another account which has proven control over all of the identifier in the certificate requests revocation via the API. It does not allow the requested reason to be `keyCompromise`, as these requests do not represent a demonstration of key compromise. In addition, add a new feature flag `MozRevocationReasons` which controls the behavior of these new methods. If the flag is not set, they behave like they have historically (see above). If the flag is set to true, then the new methods enforce the upcoming Mozilla policies around revocation reasons, namely: - Only the original Subscriber can choose the revocation reason; other clients will get a set reason code based on the method of requesting revocation. When the original Subscriber requests reason `keyCompromise`, this request will be honored, but the key will not be blocked and other certificates with that key will not also be revoked. - Revocations signed with the certificate key will always get reason `keyCompromise`, because we do not know who is sending the request and therefore must assume that the use of the key in this way represents compromise. Because these requests will always be fore reason `keyCompromise`, they will always be added to the blocked keys table and they will always attempt "re-revocation". - Revocations authorized via control of all names in the cert will always get reason `cessationOfOperation`, which is to be used when the original Subscriber does not control all names in the certificate anymore. Finally, update the existing `AdministrativelyRevokeCertificate` method to use the new helper functions shared by the two new methods. Part of #5936	2022-03-14 08:58:17 -07:00
..
reasons.go	Add new, simpler revocation methods to RA (#5969 )	2022-03-14 08:58:17 -07:00

Add new, simpler revocation methods to RA (#5969 )

Add two new gRPC methods to the SA:
- `RevokeCertByKey` will be used when the API request was signed by the
  certificate's keypair, rather than a Subscriber keypair. If the
  request is for reason `keyCompromise`, it will ensure that the key is
  added to the blocked keys table, and will attempt to "re-revoke" a
  certificate that was already revoked for some other reason.
- `RevokeCertByApplicant` supports both the path where the original
  subscriber or another account which has proven control over all of the
  identifier in the certificate requests revocation via the API. It does
  not allow the requested reason to be `keyCompromise`, as these
  requests do not represent a demonstration of key compromise.

In addition, add a new feature flag `MozRevocationReasons` which
controls the behavior of these new methods. If the flag is not set, they
behave like they have historically (see above). If the flag is set to true,
then the new methods enforce the upcoming Mozilla policies around
revocation reasons, namely:
- Only the original Subscriber can choose the revocation reason; other
  clients will get a set reason code based on the method of requesting
  revocation. When the original Subscriber requests reason
  `keyCompromise`, this request will be honored, but the key will not be
  blocked and other certificates with that key will not also be revoked.
- Revocations signed with the certificate key will always get reason
  `keyCompromise`, because we do not know who is sending the request and
  therefore must assume that the use of the key in this way represents
  compromise. Because these requests will always be fore reason
  `keyCompromise`, they will always be added to the blocked keys table
  and they will always attempt "re-revocation".
- Revocations authorized via control of all names in the cert will
  always get reason `cessationOfOperation`, which is to be used when the
  original Subscriber does not control all names in the certificate
  anymore.

Finally, update the existing `AdministrativelyRevokeCertificate` method
to use the new helper functions shared by the two new methods.

Part of #5936

2022-03-14 08:58:17 -07:00

reasons.go

Add new, simpler revocation methods to RA (#5969 )

2022-03-14 08:58:17 -07:00