You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The X509 profile of the SPIFFE Workload API provides the ability for the server to provide the workload with a relevant set of CRLs via the FetchX509Bundles and FetchX509SVID RPCs.
Today, support for this field is omitted from go-spiffe.
Introducing support can occur in two phases:
Introduce support for the field to x509bundle.Set and functions like parseX509BundlesResponse adjusted to copy the CRLs from the response into the Set type. This will expose the CRLs to those using the SDK that today a consumer would need to directly invoke the gRPC client to obtain.
Extend the spiffetls package to enforce revocations present in a CRL. I imagine we'd want to make this enforcement an opt-in feature to begin with. Unfortunately, the TLS implementation as part of the Go standard library does not support natively leveraging a CRL during X509 validation. Hence, we'd need to include this CRL verification as part of our VerifyPeerCertificate callback.
The text was updated successfully, but these errors were encountered:
The X509 profile of the SPIFFE Workload API provides the ability for the server to provide the workload with a relevant set of CRLs via the FetchX509Bundles and FetchX509SVID RPCs.
Today, support for this field is omitted from
go-spiffe.Introducing support can occur in two phases:
x509bundle.Setand functions likeparseX509BundlesResponseadjusted to copy the CRLs from the response into the Set type. This will expose the CRLs to those using the SDK that today a consumer would need to directly invoke the gRPC client to obtain.spiffetlspackage to enforce revocations present in a CRL. I imagine we'd want to make this enforcement an opt-in feature to begin with. Unfortunately, the TLS implementation as part of the Go standard library does not support natively leveraging a CRL during X509 validation. Hence, we'd need to include this CRL verification as part of ourVerifyPeerCertificatecallback.The text was updated successfully, but these errors were encountered: