Opened 5 years ago
#433 new enhancement
Self-service cert requests in Pony
Reported by: | adehnert | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
Ideally, our users could click a button in Pony and get a cert (eventually) issued, both for MIT and non-MIT certs. For both, we need #52 first -- Apache restarts are O(N*N) in number of vhosts on disk, which means we'd like a human approval process to keep the numbers down/controlled.
For MIT, I think that's it (though we shouldn't send the MITcert email until the hostname is actually approved). For non-MIT, we may want to think about how comfortable we are with a ~CSR-issuing oracle (even if only for names pointing at us) without any sort of rate-limiting. (For MIT, the hostname approval process implicitly ratelimits somewhat -- there's only, um, a bit under 2K <single-label>.mit.edu hostnames on scripts, it seems.)
(See also /mit/sipbzlog/scripts-by-instance/certs today.)