Skip to content

Add Authz revocation upon Cert revocation, by feature flag.#8799

Open
ezekiel wants to merge 11 commits into
mainfrom
ezekiel/sa-revoke-authorization
Open

Add Authz revocation upon Cert revocation, by feature flag.#8799
ezekiel wants to merge 11 commits into
mainfrom
ezekiel/sa-revoke-authorization

Conversation

@ezekiel

@ezekiel ezekiel commented Jun 15, 2026

Copy link
Copy Markdown
Member

No description provided.

Comment thread sa/proto/sa.proto Outdated
@ezekiel ezekiel changed the title Add RevokeAuthorizations func to the SA gRPC service. Add Authz revocation upon Cert revocation, by feature flag. Jun 23, 2026
@ezekiel ezekiel marked this pull request as ready for review June 30, 2026 17:32
@ezekiel ezekiel requested a review from a team as a code owner June 30, 2026 17:32
@ezekiel ezekiel requested a review from jsha June 30, 2026 17:32
@github-actions

Copy link
Copy Markdown
Contributor

@ezekiel, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@github-actions

Copy link
Copy Markdown
Contributor

@ezekiel, this PR adds one or more new feature flags: RevokeAuthzsUponRevokeCert. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.

Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".

@ezekiel

ezekiel commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

CPS Compliance Review:

Our CP/CPS does not directly discuss authorization revocation - there ARE important points about authorization re-use time frames, including in the Baseline Requirements 4.2.1. This flag does not modify authorization re-use time frames. After enabling this flag, authorizations may be revoked in a particular circumstance, which fully prevents their re-use regardless of their age.

@letsencrypt letsencrypt deleted a comment from github-actions Bot Jun 30, 2026
aarongable
aarongable previously approved these changes Jul 1, 2026

@aarongable aarongable left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a few small nits!

Comment thread ra/ra.go Outdated
Comment thread ra/ra.go Outdated
Comment thread sa/proto/sa.proto Outdated
Comment thread sa/sa.go Outdated
Comment thread test/integration/revocation_test.go Outdated
Comment thread test/integration/revocation_test.go Outdated
Because it can revoke multiple authorizations.

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
ezekiel added 2 commits July 2, 2026 22:00
Update retrybackoff usage of authz revocation tests to 1) retry more
quickly in the test expecting change, but 2) retry over a longer period
of time in the test expecting stability to try to extend beyond the
custom context timeout of the RA function.

Rename SA gRPC methods to be consistently plural, reflecting their
capability.
@ezekiel ezekiel requested a review from aarongable July 2, 2026 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants