Page MenuHomeFreeBSD

certctl(8): Remove untrusted certificates from TRUSTPATH
AbandonedPublic

Authored by freebsd_igalic.co on Feb 3 2023, 1:51 PM.
Referenced Files
F132591563: D38370.diff
Sat, Oct 18, 6:00 AM
Unknown Object (File)
Sun, Oct 12, 3:50 PM
Unknown Object (File)
Wed, Oct 8, 11:49 PM
Unknown Object (File)
Wed, Oct 8, 5:10 PM
Unknown Object (File)
Sun, Oct 5, 6:13 AM
Unknown Object (File)
Tue, Sep 30, 11:10 PM
Unknown Object (File)
Tue, Sep 30, 4:39 AM
Unknown Object (File)
Sun, Sep 28, 6:38 PM

Details

Reviewers
kevans
debdrup
Group Reviewers
manpages
Summary

if a certificate from a TRUSTPATH is untrust'ed, we now remove it from
that TRUSTPATH.

PR: 250681
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 49508
Build 46398: arc lint + arc unit

Event Timeline

debdrup added a subscriber: debdrup.

The mdoc(7) changes look good to me.

This revision is now accepted and ready to land.Feb 3 2023, 2:09 PM
  • fix case syntax
  • use dirname, not basename
This revision now requires review to proceed.Feb 3 2023, 2:12 PM
yuri_aetern.org added inline comments.
usr.sbin/certctl/certctl.8
29

Add a comma after "February 3", i.e.:

WARNING: cannot parse date, using it verbatim: Dd February 3 2023

after feedback from @kevans on IRC, I'm abandoning this revision, because it's the wrong way to solve this problem:

14:41 <@kevans91> it's a slippery slope, of sorts. if we rely on removing it from trustpath, we get unexpected results if someone adjusts trustpath
14:42 <@kevans91> we try to makw the promise that if you distrust a cert it'll stay distrusted until you say otherwise