[
https://issues.apache.org/jira/browse/CASSANDRA-18951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francisco Guerrero updated CASSANDRA-18951:
-------------------------------------------
Change Category: Operability (was: Semantic)
> Add option for MutualTlsAuthenticator to restrict the certificate validity
> period
> ---------------------------------------------------------------------------------
>
> Key: CASSANDRA-18951
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18951
> Project: Cassandra
> Issue Type: New Feature
> Components: Feature/Authorization, Messaging/Client,
> Observability/JMX, Observability/Metrics
> Reporter: Francisco Guerrero
> Assignee: Francisco Guerrero
> Priority: Normal
> Fix For: 5.1
>
> Attachments: ci_summary.html, ci_summary.json, result_details.tar.gz
>
> Time Spent: 6h 10m
> Remaining Estimate: 0h
>
> In {{org.apache.cassandra.auth.MutualTlsAuthenticator}}, we validate that a
> certificate is valid by looking at the identities inside the
> certificate and making sure the identity exists in the identity to role table.
> In some situations we may want to restrict the certificates
> we accept by rejecting certificates older than x amount of days. Some
> certificates can be generated with long expiration dates,
> and this might be undesired when you want to protect against potential
> certificates being compromised. For that reason, it is
> important to add an option, that when configured, we can limit the age of the
> certificate we accept for mTLS authentication.
> When enabled, this will force clients to have to renew certificates more
> frequently, reducing the exposure of a Cassandra cluster
> to leaked certificates.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
