Ivan, Thank you for writing this up. This PIP looks great to me! +1
just one question: > This will add the subject key identifier to zookeeper under /tls/revoked/<subject-key-id>. All brokers and proxies cache the children /tls/revoked. Instead of using zookeeper, can we consider using a managed ledger or a system topic for keeping all these revoked keys? - Sijie On Tue, Aug 7, 2018 at 1:12 AM Ivan Kelly <iv...@apache.org> wrote: > Hi folks, > > This is a PIP to add a mechanism to block TLS client certs from > accessing Pulsar if they have been compromised. > > This is a relatively small change, but I thought it best to put it to > the community before moving ahead with it, as people may have opinions > on the approach. > > The PIP is here: > > https://github.com/apache/incubator-pulsar/wiki/PIP-20%3A-Mechanism-to-revoke-TLS-authentication > > Cheers, > Ivan >