This is a case with external registration with delegation. In the delegation case, an executive's encryption cert is stored on the token, and the cert is marked in the TPS database as "active".
This process still succeeds even if the executive's encrytion cert is revoked. The cert remains revoked on the CA, but is marked as "active" on the TPS, leading to an inconsistency between the two databases.
The right solution for this is probably to fail the enrollment.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202533 (Red Hat Certificate System)
The description of this bug should be changed per direction changed in the original bug: copied from comment #2 of 1200107 The externlReg design was to give people maximum control without burdening tps with the policies. For example, if an employee is terminated, and token/certs revoked, one would want to allow the admin to recover a revoked cert to decrypt encrypted emails.
looking at the description itself, it also talks about descrepency between tokendb and actual cert status. I think if anything to do at all would be just to mark the cert on token to reflect the status on the ca. We should not disallow the recovery to succeed in case of recovering a revoked cert onto the token. this way, we will give the admin the full control that externalReg promised.
or, at least add a config option to allow/disallow this to happen, and default to allow.
Moving to 10.2.4 per CS team meeting.
Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: (Tech Preview Feature - 8.1.6 forward-port)
pushed to master commit cb359cb37cf62d357f8c960c7dfb96aa1d537e53
Since associated bug was re-opened and moved to 9.1 during QE verification, ticket was re-opened and moved to 10.3.
Just a note to say that 1. https://bugzilla.redhat.com/show_bug.cgi?id=1200107 has been fixed and QE verified 2. I think https://bugzilla.redhat.com/show_bug.cgi?id=1202533 was left to capture the proposal to "add a config option to allow/disallow recovering revoked certs"; that has not been implemented;
oops, correction. Just looked at the code again. It was implemented (memory glitch). The config was: externalReg.allowRecoverInvalidCert.enable
I believe with the right config parameter, this feature should work.
Metadata Update from @mharmsen: - Issue assigned to cfu - Issue set to the milestone: 10.4.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1871
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.