On Tue, Oct 22, 2024 at 05:25:17PM +0000, Corey Bonnell wrote: > For better or worse, it is not uncommon to install linting software on > the same host as the CA system itself.
I'll vote for "worse", for whatever it's worth. > In fact, that is how one popular CA software suite invokes external > linters: it expects a CLI tool to be installed locally to perform > linting. Given that pkimetal runs as a HTTP service, the "CLI tool" that the CA software runs would need to be a `curl | jq` (or similar) shell script. That would remove the need for pkimetal itself to be running on the same machine even for that CA software suite. > Having a linter running on the CA host dial out to the wider Internet > is not a good idea given the security-sensitive nature of the host and > the software it is running. Having *anything* running on the CA host itself dial out to the wider Internet seems like a recipe for giving your SOC a regular panic attack. > A secondary concern is that external API calls are harder to reason > about in terms of performance impact due to variability in API > response times. I'm not averse to providing the pwnedkeys dataset in other forms, if the live-query-over-HTTP model is the only barrier to adoption by someone who will make use of the data. Hell, I can provide a replication slot on the PostgreSQL database (that you can feed into a machine in your infrastructure) if that'll work. But nobody has ever actually reached out to discuss how to come up with a design that meets both parties' needs. For example, every time someone says "why not just provide an SPKI dump?", I explain why that won't work without additional engineering to ensure currency of the dataset, and then... crickets. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/bafdf285-5fcd-4fbc-893f-80a88bdf4e59%40mtasv.net.
