Thicket data repository for the EEG
anil.recoil.org
1{
2 "id": "https://ryan.freumh.org/2024-04-08.html",
3 "title": "8 Apr 2024",
4 "link": "https://ryan.freumh.org/2024-04-08.html",
5 "updated": "2024-04-08T00:00:00",
6 "published": "2024-04-08T00:00:00",
7 "summary": "<div>\n <span> Previous: <a href=\"2024-04-01.html\"> 1 Apr 2024</a> </span>\n <span> Next: <a href=\"2024-04-15.html\">15 Apr 2024</a> </span>\n </div>\n \n \n\n <h2>Tue</h2>\n<p><span>some rough working notes for eon’s capability\ninterface to provision TLS certificates:</span></p>\n<ul>\n<li>modified the client to read the capability from a file and write the\ncerts to a directory.</li>\n<li>todo: persistence</li>\n<li>account key</li>\n<li>wildcard certs</li>\n<li>should we do CSR on the client or server?</li>\n<li>should we do renewals on the client or server?</li>\n<li>let’s store everything on the server</li>\n<li>renewals keep the same private key?</li>\n<li>no, new certificate</li>\n</ul>\n<p><span>renewals:</span></p>\n<ul>\n<li>studryrefs for capabilities mapped to domains</li>\n<li>keep track of expiry</li>\n</ul>\n<p><span>update interface</span></p>\n<ul>\n<li>do we mimic DNS UPDATE? yes</li>\n<li>do we pass binary blob? no</li>\n</ul>\n<p><span>todo</span></p>\n<ul>\n<li>provisioning a cert for root</li>\n<li>https://github.com/mirage/ca-certs-nss</li>\n<li>https://github.com/suri-framework/castore</li>\n<li>multiple domains</li>\n<li>SAN</li>\n<li>CN</li>\n<li>extensions</li>\n</ul>\n<h2>Thu</h2>\n<p><span>done:</span></p>\n<ul>\n<li>subject alternative name</li>\n<li>generate caps for every authoritative domain</li>\n<li>client exits</li>\n<li>capc multiple domains</li>\n<li>delegation persist capability</li>\n<li>persistence</li>\n</ul>\n<p><span>NB <a href=\"https://github.com/mmaker/ocaml-letsencrypt\">ocaml-letsencrypt</a>\ndoesn’t support revocation or deletion</span></p>",
8 "content": "<div>\n <span> Previous: <a href=\"2024-04-01.html\"> 1 Apr 2024</a> </span>\n <span> Next: <a href=\"2024-04-15.html\">15 Apr 2024</a> </span>\n </div>\n \n \n\n <h2>Tue</h2>\n<p><span>some rough working notes for eon’s capability\ninterface to provision TLS certificates:</span></p>\n<ul>\n<li>modified the client to read the capability from a file and write the\ncerts to a directory.</li>\n<li>todo: persistence</li>\n<li>account key</li>\n<li>wildcard certs</li>\n<li>should we do CSR on the client or server?</li>\n<li>should we do renewals on the client or server?</li>\n<li>let’s store everything on the server</li>\n<li>renewals keep the same private key?</li>\n<li>no, new certificate</li>\n</ul>\n<p><span>renewals:</span></p>\n<ul>\n<li>studryrefs for capabilities mapped to domains</li>\n<li>keep track of expiry</li>\n</ul>\n<p><span>update interface</span></p>\n<ul>\n<li>do we mimic DNS UPDATE? yes</li>\n<li>do we pass binary blob? no</li>\n</ul>\n<p><span>todo</span></p>\n<ul>\n<li>provisioning a cert for root</li>\n<li>https://github.com/mirage/ca-certs-nss</li>\n<li>https://github.com/suri-framework/castore</li>\n<li>multiple domains</li>\n<li>SAN</li>\n<li>CN</li>\n<li>extensions</li>\n</ul>\n<h2>Thu</h2>\n<p><span>done:</span></p>\n<ul>\n<li>subject alternative name</li>\n<li>generate caps for every authoritative domain</li>\n<li>client exits</li>\n<li>capc multiple domains</li>\n<li>delegation persist capability</li>\n<li>persistence</li>\n</ul>\n<p><span>NB <a href=\"https://github.com/mmaker/ocaml-letsencrypt\">ocaml-letsencrypt</a>\ndoesn’t support revocation or deletion</span></p>",
9 "content_type": "html",
10 "categories": [],
11 "source": "https://ryan.freumh.org/atom.xml"
12}