• Vincent Pelletier's avatar
    WIP all: Refuse to renew too-young certificates. · 2c1f9099
    Vincent Pelletier authored
    Makes it harder for a compromised certificate to escape revocation by
    renewing itself faster than it can be identified and revoked.
    
    TODO:
    - fix tests
    - coverage
    - maybe just refuse to renew any cert more than once, to prevent
      "lineage forks" without introducing such new deadline ? (probably not
      a good idea, losing one's certificate happens and should not cause
      such punishment)
    - only enable for CAU certificates ?
    - distinguish issuance tracking between renewal and user issuance ?
    - auto-revoke certificates issued by renewal, but not those issued by user
      cert ?
    - 10 days is way too long. above an hour it will get in the way, and
      revoking multiple should not take too long... if there was a way to
      recognise serials (cf. previous commit)
    2c1f9099
wsgi.py 35.8 KB