Add RFC 1022 & 1023 for asynchronous enrollment #11762
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
touilleMan
force-pushed
the
rfc-local-device-smartcard
branch
from
876aad7 to
327136c
Compare
touilleMan
changed the title
touilleMan
force-pushed
the
rfc-local-device-smartcard
branch
2 times, most recently
from
875cf3b to
cd0c0d2
Compare
touilleMan
force-pushed
the
rfc-local-device-smartcard
branch
from
cd0c0d2 to
22f6195
Compare
AureliaDolo
reviewed
Dec 5, 2025
Comment on lines
+35
to
+36
| - An asynchronous enrollment is created by the submitter (while a synchronous one is created | ||
| by the greeter). |
Contributor
There was a problem hiding this comment.
Suggested change
| - An asynchronous enrollment is created by the submitter (while a synchronous one is created | |
| by the greeter). | |
| - When the submitter creates an enrollment it is asynchronous, whereas when an accepter creates the enrollment, it is synchronous. |
It kinda sounded like the people involved could choose what kind of enrollment they wanted, but maybe it's just me. (Also greeter -> accepter)
| 0. Alice wants to join CoolOrg organization. | ||
| 1. Alice uses the organization submission link to submit a request. This submission link | ||
| is specific to the organization and is common to all submit request (typically this | ||
| link can be pinned to a newcomer guide documentation). |
Contributor
There was a problem hiding this comment.
Suggested change
| link can be pinned to a newcomer guide documentation). | |
| link can be referenced in a newcomer guide documentation). |
| 1. Alice uses the organization submission link to submit a request. This submission link | ||
| is specific to the organization and is common to all submit request (typically this | ||
| link can be pinned to a newcomer guide documentation). | ||
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses his smartcard containing a PKI identity). |
Contributor
There was a problem hiding this comment.
Suggested change
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses his smartcard containing a PKI identity). | |
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses their smartcard containing a PKI identity). |
Suggested change
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses his smartcard containing a PKI identity). | |
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses her smartcard containing a PKI identity). |
| link can be pinned to a newcomer guide documentation). | ||
| 2. Alice authenticates with an external identity system (either connect trough OIDC or uses his smartcard containing a PKI identity). | ||
| 3. Alice creates a user encryption key pair and a device signing key pair. | ||
| 4. Alice saves the private parts of the user & device keys pairs on his machine's filesystem. |
Contributor
There was a problem hiding this comment.
Suggested change
| 4. Alice saves the private parts of the user & device keys pairs on his machine's filesystem. | |
| 4. Alice saves the private parts of the user & device keys pairs on their machine's filesystem. |
Suggested change
| 4. Alice saves the private parts of the user & device keys pairs on his machine's filesystem. | |
| 4. Alice saves the private parts of the user & device keys pairs on her machine's filesystem. |
| } | ||
| ``` | ||
|
|
||
| ### 3.2 - List the pending request |
Contributor
There was a problem hiding this comment.
Does this lists only valid, still waiting for approval enrollments ?
If yes, should we add a list_untrusted like here #11841?
(it's for the admin to be able to see all enrollments, even if they are invalid)
| "status": "enrollment_not_found" | ||
| }, | ||
| { | ||
| // The request is no longer in pending state (either accepted or rejected) |
Contributor
There was a problem hiding this comment.
Suggested change
| // The request is no longer in pending state (either accepted or rejected) | |
| // The request is no longer in pending state (either accepted, cancelled or rejected) |
| "status": "active_users_limit_reached" | ||
| }, | ||
| { | ||
| // The user already exist in the organization |
Contributor
There was a problem hiding this comment.
Suggested change
| // The user already exist in the organization | |
| // The user already exist in the organization (aka email already in use) |
I'm not sure about that though, this could be about the user_id too.
| "type": "Bytes" | ||
| }, | ||
| { | ||
| // Optional list of intermediate certificates needed to |
Contributor
There was a problem hiding this comment.
What happens if it's not provided ? The trustchain is not verified ?
| { | ||
| // Certificate here refers to the X509 certificate that describes what is | ||
| // in the smartcard. | ||
| "name": "certificate_ref", |
Contributor
There was a problem hiding this comment.
Suggested change
| "name": "certificate_ref", | |
| "name": "submitter_certificate_ref", |
Comment on lines
+971
to
+969
| > The server validation is not strictly needed from a security standpoint, but it | ||
| > prevents ending up with bad request in the list of pending enrollments that then | ||
| > have to be manually rejected. |
Contributor
There was a problem hiding this comment.
The invalid requests still need to be visible (they can be hidden) but the admin must be able to kind them to be able to debug the case where a legitimate user submits unknowingly an invalid certificate. So a manual action would still be needed to clean up those certificates
touilleMan
force-pushed
the
rfc-local-device-smartcard
branch
from
22f6195 to
7fa7fd0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Question:
pki_prefix for everything related to PKI, except for the local device protection that is namedsmartcard. I think we should settle on eitherpkiorsmartcardfor all code related to PKI (so most likely just renameDeviceFileSmartcard->DeviceFilePKI).