Skip to content

Add Authz revocation upon Cert revocation, by feature flag.#8799

Open
ezekiel wants to merge 9 commits into
mainfrom
ezekiel/sa-revoke-authorization
Open

Add Authz revocation upon Cert revocation, by feature flag.#8799
ezekiel wants to merge 9 commits into
mainfrom
ezekiel/sa-revoke-authorization

Conversation

@ezekiel

@ezekiel ezekiel commented Jun 15, 2026

Copy link
Copy Markdown
Member

No description provided.

Comment thread sa/proto/sa.proto Outdated
@ezekiel ezekiel changed the title Add RevokeAuthorizations func to the SA gRPC service. Add Authz revocation upon Cert revocation, by feature flag. Jun 23, 2026
@ezekiel ezekiel marked this pull request as ready for review June 30, 2026 17:32
@ezekiel ezekiel requested a review from a team as a code owner June 30, 2026 17:32
@ezekiel ezekiel requested a review from jsha June 30, 2026 17:32
@github-actions

Copy link
Copy Markdown
Contributor

@ezekiel, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@github-actions

Copy link
Copy Markdown
Contributor

@ezekiel, this PR adds one or more new feature flags: RevokeAuthzsUponRevokeCert. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.

Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".

@ezekiel

ezekiel commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

CPS Compliance Review:

Our CP/CPS does not directly discuss authorization revocation - there ARE important points about authorization re-use time frames, including in the Baseline Requirements 4.2.1. This flag does not modify authorization re-use time frames. After enabling this flag, authorizations may be revoked in a particular circumstance, which fully prevents their re-use regardless of their age.

@letsencrypt letsencrypt deleted a comment from github-actions Bot Jun 30, 2026
aarongable
aarongable previously approved these changes Jul 1, 2026

@aarongable aarongable left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a few small nits!

Comment thread ra/ra.go
return nil
}

func (ra *RegistrationAuthorityImpl) revokeAuthorizations(ctx context.Context, cert *x509.Certificate, smeta *sapb.SerialMetadata) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing this function uses smeta for is the regID, so just pass the bare regID instead.

Comment thread ra/ra.go
return nil
}

func (ra *RegistrationAuthorityImpl) revokeAuthorizations(ctx context.Context, cert *x509.Certificate, smeta *sapb.SerialMetadata) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a doc comment describing this function and the fact that its calling contract requires that it be called as a background goroutine (otherwise the context timeout change will cause problems).

Comment thread sa/proto/sa.proto Outdated
Comment thread sa/sa.go
Comment on lines +467 to +469
"expirenow": ssa.clk.Now(),
"valid": statusUint(core.StatusValid),
"pending": statusUint(core.StatusPending),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: these three are out of order relative to the order they're used in the actual sequel statement.

}
}

// waitForAuthzStatusChange uses an acme client to poll some(a slice of)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// waitForAuthzStatusChange uses an acme client to poll some(a slice of)
// waitForAuthzStatusChange uses an acme client to poll some (a slice of)

same below

t.Helper()

for try := range 4 {
time.Sleep(core.RetryBackoff(try, time.Second, 2*time.Second, 1.5))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say you can start much faster than time.Second; the vast majority of integration test operations are probably complete within double-digit milliseconds.

Because it can revoke multiple authorizations.

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants