Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caucase
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jérome Perrin
caucase
Commits
c77d0042
Commit
c77d0042
authored
Sep 20, 2018
by
Łukasz Nowak
Committed by
Vincent Pelletier
Sep 21, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
README: Fix typos
parent
60e44966
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
9 additions
and
9 deletions
+9
-9
README.rst
README.rst
+9
-9
No files found.
README.rst
View file @
c77d0042
...
@@ -26,7 +26,7 @@ constraint at all on subject and alternate subject certificate fields.
...
@@ -26,7 +26,7 @@ constraint at all on subject and alternate subject certificate fields.
To still allow certificates to be used, caucase uses itself to authenticate
To still allow certificates to be used, caucase uses itself to authenticate
users (humans or otherwise) who implement the validation procedure: they tell
users (humans or otherwise) who implement the validation procedure: they tell
caucase what certificates to emit. Once done, any certificate can be
caucase what certificates to emit. Once done, any certificate can be
prol
ungat
ed at a simple request of the key holder while the to-renew
prol
ong
ed at a simple request of the key holder while the to-renew
certificate is still valid (not expired, not revoked).
certificate is still valid (not expired, not revoked).
Bootstrapping the system (creating the first service certificate for
Bootstrapping the system (creating the first service certificate for
...
@@ -37,7 +37,7 @@ set number of certificates upon submission.
...
@@ -37,7 +37,7 @@ set number of certificates upon submission.
Vocabulary
Vocabulary
==========
==========
Caucase manipulates the following asymetric cryptography concepts.
Caucase manipulates the following asym
m
etric cryptography concepts.
- Key pair: A private key and corresponding public key. The public key can be
- Key pair: A private key and corresponding public key. The public key can be
derived from the private key, but not the other way around. As a consequence,
derived from the private key, but not the other way around. As a consequence,
...
@@ -54,11 +54,11 @@ Caucase manipulates the following asymetric cryptography concepts.
...
@@ -54,11 +54,11 @@ Caucase manipulates the following asymetric cryptography concepts.
certified, which they send to a certificate authority. The certificate signing
certified, which they send to a certificate authority. The certificate signing
request contains the public key and desired set of attributes that the CA
request contains the public key and desired set of attributes that the CA
should pronounce itself on. The CA has all liberty to issue a different set
should pronounce itself on. The CA has all liberty to issue a different set
of att
i
ributes, or to not issue a certificate.
of attributes, or to not issue a certificate.
- Certificate revocation list: Lists the certificates which were issued by a CA
- Certificate revocation list: Lists the certificates which were issued by a CA
but which should not be trusted an
n
ymore. This can happen for a variety of
but which should not be trusted anymore. This can happen for a variety of
reasons: the private key was compromised, or its own
e
ing entity should not be
reasons: the private key was compromised, or its owning entity should not be
trusted anymore (ex: entity's permission to access to protected service was
trusted anymore (ex: entity's permission to access to protected service was
revoked).
revoked).
...
@@ -69,7 +69,7 @@ Caucase manipulates the following asymetric cryptography concepts.
...
@@ -69,7 +69,7 @@ Caucase manipulates the following asymetric cryptography concepts.
Validity period
Validity period
===============
===============
Cryptographic keys wear out as are used and a
nd a
s they age.
Cryptographic keys wear out as are used and as they age.
Of course, they do not bit-rot nor become thinner with use. But each time one
Of course, they do not bit-rot nor become thinner with use. But each time one
uses a key and each minute an attacker had access to a public key, fractions
uses a key and each minute an attacker had access to a public key, fractions
...
@@ -87,7 +87,7 @@ Then the CA certificate has a default life span of 4 "normal" certificate
...
@@ -87,7 +87,7 @@ Then the CA certificate has a default life span of 4 "normal" certificate
validity periods. As CA renewal happens in caucase without x509-level cross
validity periods. As CA renewal happens in caucase without x509-level cross
signing (by decision, to avoid relying on intermediate CA support on
signing (by decision, to avoid relying on intermediate CA support on
certificate presenter side and instead rely on more widespread
certificate presenter side and instead rely on more widespread
multi-CA-certificate support on v
i
rifier side), there is a hard lower bound of
multi-CA-certificate support on v
e
rifier side), there is a hard lower bound of
3 validity periods, under which the CA certificate cannot be reliably renewed
3 validity periods, under which the CA certificate cannot be reliably renewed
without risking certificate validation issues for emitted "normal"
without risking certificate validation issues for emitted "normal"
certificates. CA certificate renewal is composed of 2 phases:
certificates. CA certificate renewal is composed of 2 phases:
...
@@ -106,7 +106,7 @@ certificates. CA certificate renewal is composed of 2 phases:
...
@@ -106,7 +106,7 @@ certificates. CA certificate renewal is composed of 2 phases:
out of use as its signed "normal" certificates expire.
out of use as its signed "normal" certificates expire.
By default, all caucase tools will generate a new private key unrelated to the
By default, all caucase tools will generate a new private key unrelated to the
previous one on each certificat renewal.
previous one on each certificat
e
renewal.
Lastly, there is another limited validity period, although not for the same
Lastly, there is another limited validity period, although not for the same
reasons: the list of revoked certificates also has a maximum life span. In
reasons: the list of revoked certificates also has a maximum life span. In
...
@@ -258,7 +258,7 @@ their access only via different credentials.
...
@@ -258,7 +258,7 @@ their access only via different credentials.
- key holders manifest themselves
- key holders manifest themselves
- admin picks a key holder, requests them to provide their existing private key
- admin picks a key holder, requests them to provide their existing private key
and to generate a new key and accompanying
csr
and to generate a new key and accompanying
CSR
- key holder provide requested items
- key holder provide requested items
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment