search

vmware / vic

vSphere Integrated Containers Engine is a container runtime for vSphere.
http://vmware.github.io/vic
Other
640 stars 174 forks source link

Certificate revocation support #2851

Open hickeng opened 8 years ago

hickeng commented 8 years ago

Add a form of certificate revocation to the VCH.

The two most obvious approaches both involve proving the VCH with a URL for the following:

  1. https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol (preferred)
  2. CRL - download a list from a supplied URL: https://en.wikipedia.org/wiki/Revocation_list

I do not think Go has built in support for certificate revocation so this is likely to be an involved piece of work.

https://bugzilla.eng.vmware.com/show_bug.cgi?id=1727653

If we do this I think we should engage with Go community about adding revocation support to the TLS implementation & certificate packages rather than hack it into place in the personality code. This is an opportunity for community give-back

zjs commented 6 years ago

Open question: Are a sufficient percentage of VCHs deployed such that they have access to the public Internet?