autograph icon indicating copy to clipboard operation
autograph copied to clipboard
verified publisher icon mozilla-services

provide endpoint to expose cert validity and fingerprints

Open g-k opened this issue 4 years ago • 2 comments

Like #737 provide an endpoint that returns certificate validity and SHA2 fingerprints (NotBefore and NotAfter and gpg expiration dates) for signers (this is public info for anything with a released signed artifact).

This would let:

  • autograph clients check the cert they'd use before signing (if the endpoint is authenticated and scoped to the current creds)
  • autograph operators monitor pending expirations without going to the HSM or config files

cc @hwine re: second item and CertCert work

g-k avatar Sep 02 '21 14:09 g-k

sgtm - what creds will operators use to auth? Hopefully, not some that would also enable signing! :grinning:

hwine avatar Sep 02 '21 15:09 hwine

sgtm - what creds will operators use to auth? Hopefully, not some that would also enable signing! 😀

You raise a good point about making permissions explicit. Currently:

  • all users/auths have /sign/* for the key/signer ids they have access to. This could be broken down into distinct sign/{data,hash,file} permissions.
  • the monitor key has access to sign the fixed monitoring string with all signers

For the first use case, I'd grant all users access to check the certs for signers they have access to. This saves us from having to distribute additional creds for checking cert validity.

For the second use case, we can reuse the monitor creds assuming the user monitoring autograph signing also monitors certs.

Arguably, we should make the permissions more explicit and split out a separate "fetch cert info" instead of overloading the above.

g-k avatar Sep 09 '21 17:09 g-k