certctl(8): Remove untrusted certificates from TRUSTPATH
AbandonedPublic
Actions

Authored by freebsd_igalic.co on Feb 3 2023, 1:51 PM.

Details

Reviewers

kevans
debdrup

Group Reviewers

manpages

Summary

if a certificate from a TRUSTPATH is untrust'ed, we now remove it from
that TRUSTPATH.

PR: 250681
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 49508
Build 46398: arc lint + arc unit

Event Timeline

freebsd_igalic.co created this revision.Feb 3 2023, 1:51 PM

Herald added a subscriber: imp. · View Herald TranscriptFeb 3 2023, 1:51 PM

freebsd_igalic.co requested review of this revision.Feb 3 2023, 1:51 PM

Harbormaster completed remote builds in B49507: Diff 116388.Feb 3 2023, 1:51 PM

freebsd_igalic.co added reviewers: kevans, manpages.Feb 3 2023, 1:58 PM

freebsd_igalic.co added projects: manpages, Contributor Reviews (src).

The mdoc(7) changes look good to me.

This revision is now accepted and ready to land.Feb 3 2023, 2:09 PM

fix case syntax
use dirname, not basename

This revision now requires review to proceed.Feb 3 2023, 2:12 PM

Harbormaster completed remote builds in B49508: Diff 116389.Feb 3 2023, 2:12 PM

yuri_aetern.org added a subscriber: yuri_aetern.org.Feb 3 2023, 2:48 PM

yuri_aetern.org added inline comments.

usr.sbin/certctl/certctl.8
29	Add a comma after "February 3", i.e.: WARNING: cannot parse date, using it verbatim: Dd February 3 2023

after feedback from @kevans on IRC, I'm abandoning this revision, because it's the wrong way to solve this problem:

14:41 <@kevans91> it's a slippery slope, of sorts. if we rely on removing it from trustpath, we get unexpected results if someone adjusts trustpath
14:42 <@kevans91> we try to makw the promise that if you distrust a cert it'll stay distrusted until you say otherwise