Support for marking self-signed certs without crlDistributionPoints as Verified
Release notes
Problem to solve
With regard to how GitLab handles X.509 we say:
Self signed certificates without authorityKeyIdentifier, subjectKeyIdentifier, and crlDistributionPoints are not supported. We recommend using certificates from a PKI that are in line with RFC 5280.
If an organization has a certificate management approach that is not in accordance with these guidelines, commits that have been signed will not appear as Verified or Unverified.
Proposal
For a large Premium customer, it would be helpful if we could introduce support for certificates that are signed by a root cert that the customer designates as trusted and do not have a crlDistributionPoint specified. In this case, the crlDistributionPoints are not in the keys - a separate process is in place to handle revocation.
I think the CRL validation happens near /app/models/x509_issuer.rb#L12
. source
On How GitLab handles X.509, we also say:
Certificate revocation lists are checked on a daily basis via background worker.
Additional work may be required to prevent having a background worker check a certificate revocation list for certificates that don't have the requisite information embedded.
Intended users
- Developers in organizations that have an approach to certificate management that does not completely fit in with our guidelines or RFC 5280.
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
- Cameron (Compliance Manager)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
User experience goal
The user should be able to sign commits with an existing self-signed certificate without crlDistributionPoints and have that commit marked as Verified in the Web interface.
Further details
Include use cases, benefits, goals, or any other details that will help us understand the problem better.
Permissions and Security
Documentation
Docs that would need to be updated include:
-
How GitLab handles X.509 section of "Signing commits and tags with X.509"