Add Authz revocation upon Cert revocation, by feature flag.#8799
Add Authz revocation upon Cert revocation, by feature flag.#8799ezekiel wants to merge 11 commits into
Conversation
|
@ezekiel, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
|
@ezekiel, this PR adds one or more new feature flags: RevokeAuthzsUponRevokeCert. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document. Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:". |
|
CPS Compliance Review: Our CP/CPS does not directly discuss authorization revocation - there ARE important points about authorization re-use time frames, including in the Baseline Requirements 4.2.1. This flag does not modify authorization re-use time frames. After enabling this flag, authorizations may be revoked in a particular circumstance, which fully prevents their re-use regardless of their age. |
aarongable
left a comment
There was a problem hiding this comment.
LGTM with a few small nits!
Because it can revoke multiple authorizations. Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Update retrybackoff usage of authz revocation tests to 1) retry more quickly in the test expecting change, but 2) retry over a longer period of time in the test expecting stability to try to extend beyond the custom context timeout of the RA function. Rename SA gRPC methods to be consistently plural, reflecting their capability.
No description provided.