Difference between revisions of "PKI-Revoke"
Line 2: | Line 2: | ||
Changes to support revocation of PKI tokens | Changes to support revocation of PKI tokens | ||
− | + | # Revoked tokens must be recorded, not merely removed from the tokens backend. To effect this there are two choices: | |
− | + | ## Add an additional collumn in the database: revoked. Change the authenticate code to check for revoked status | |
− | + | ## Create an additional table: revoked_tokens. Revoked tokens will be removed from the tokens table just as they are now, and added to the revoked_tokens table. | |
− | + | ## Either way, at token timeout, the tokens will be removed from the table. | |
− | + | # Once revoked, a token cannot be unrevoked. | |
− | + | # The Keystone server will expose a list of revoked tokens exposed in an URL. | |
− | + | ## GET /tokens/revoked/ | |
− | + | ## Only exposed on the admin port | |
− | + | ## Services runnning auth_token middleware will query the Revocation list on a simple schedule. | |
+ | ## The time out will be a configuration option. | ||
+ | ## The revocation list be a signed CMS document | ||
+ | ## The body of the revocation list will be the id_hash values of the tokens. | ||
+ | ## If a token authentication request comes in to the auth_token middle and the service does not have a recent revocation list, it is fetched from keystone. | ||
+ | ### If the Keystone server cannot be reached, authentication will fail. | ||
+ | # Future enhancements: | ||
+ | ## wait a random amount of time and then requery the Keystone server. | ||
+ | ## Support as set of Keystone servers where the policy for revocation checking can vary per server. | ||
+ | ## Support a setup where a subset of the Keystone serversare not be directly accessible. In those cases, one Keystone server can proxy the revocation list for another server. |
Revision as of 17:35, 6 August 2012
Changes to support revocation of PKI tokens
- Revoked tokens must be recorded, not merely removed from the tokens backend. To effect this there are two choices:
- Add an additional collumn in the database: revoked. Change the authenticate code to check for revoked status
- Create an additional table: revoked_tokens. Revoked tokens will be removed from the tokens table just as they are now, and added to the revoked_tokens table.
- Either way, at token timeout, the tokens will be removed from the table.
- Once revoked, a token cannot be unrevoked.
- The Keystone server will expose a list of revoked tokens exposed in an URL.
- GET /tokens/revoked/
- Only exposed on the admin port
- Services runnning auth_token middleware will query the Revocation list on a simple schedule.
- The time out will be a configuration option.
- The revocation list be a signed CMS document
- The body of the revocation list will be the id_hash values of the tokens.
- If a token authentication request comes in to the auth_token middle and the service does not have a recent revocation list, it is fetched from keystone.
- If the Keystone server cannot be reached, authentication will fail.
- Future enhancements:
- wait a random amount of time and then requery the Keystone server.
- Support as set of Keystone servers where the policy for revocation checking can vary per server.
- Support a setup where a subset of the Keystone serversare not be directly accessible. In those cases, one Keystone server can proxy the revocation list for another server.