Comment 34 for bug 1490804
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: PKI Token Revocation Bypass | #34 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I repeat the previous statement: Changing the hash mechanism will break everyone. DOA is absolutely not affected here.
DOA forces online validation because it hashes the PKI(z) tokens to the SHA form. If a token is already hashed, it will only rely on the online validation which requires matching the key in the database.
The solution for the time being is going to be addressing how middleware validates the token offline via SSL. Options I see are:
* Done via audit_ids with new forms of middleware if we make audit_ids available as a form of the TRL.
* Option to only online-validate PKI(Z) tokens.
* Offer a different hash-form TRL (not just audit-id) for new versions of middleware
* Deprecate PKI(Z) tokens [not a good idea]
* Issue OSSA and indicate this is not something we can/will fix with the PKI tokens (and deprecate) [not a great idea]
I would prefer to see an online-only validation option with an OSSA as the immediate (and potentially backportable) fix. Discussion on changing hashes etc can be delayed until the summit and done in the open - not under embargo. For the embargo'd bug, I really want to see this not be a breaking change.
Breaking memcache for validated tokens [optionally] where the deployer is aware of the issues (due to OSSA being issued) is fine.