Add custom-certificate-validator example #351
Conversation
This adds an example of how to use a custom TrustedMaterial to implement a Certificate Revocation List Signed-off-by: Cody Soyland <codysoyland@github.com>
| } | ||
| } | ||
|
|
||
| func (tm *TrustedMaterialWithCertificateValidator) FulcioCertificateAuthorities() []root.CertificateAuthority { |
There was a problem hiding this comment.
Minor: what if there is a signed timestamp provider that has issued erroneous certificates with known serial numbers??
Maybe that can be left as an exercise to the reader.
|
Can I ask why this example is needed? CRLs are a pain to maintain and distribute, and part of the motivation behind short-lived certs is so that CRLs are not needed. This example also isn't using a CRL format, so it's an exercise left to the implementer on how to get the revoked serial numbers. If this is more to demonstrate how to use a custom validator, could we change the example to that? |
|
I think the code looks good, but as @haydentherapper mention, I think we can update the wording. Clarify that this is an example of how to hook in custom certificate verification, for people using their own PKI, where long lived certificates could be used, or intermediates are shipped in the bundle instead via the TUF trust root. |
This is in response to @kommendorkapten's proposal in #298.
Exactly, this is not a full CRL implementation, just an example of how to utilize the hooks in I can update the wording to be more explicit about this. |
Signed-off-by: Cody Soyland <codysoyland@github.com>
codysoyland
changed the title
codysoyland
changed the title
This adds an example of how to use a custom TrustedMaterial to implement a Certificate Revocation List
Signed-off-by: Cody Soyland codysoyland@github.com
Summary
Release Note
Documentation