ttinkr
commented
4 years ago I just found the same problem when thinking about revocation with cfssl and came here. An attacker could collect certificates (which is public information) and then revoke all of them at once. If re-issuing is not fully automated this would lead to a Denial of Service.
@kaarolch Have you been able to come up with a solution for this? For the moment I will disable the revoke endpoint and revoke manually on the CLI if needed.
Cheers, Thomas
Is there any way to enable auth for revoke method from API? Currently if you know the Serial and AIK you can revoke key. IMHO there should be possibility to enable auth. How you deal with this problem? I can try to implement some additional key and it to api/revoke.go. Is there any reason why it was not implemented yet?