)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0cf916f1610b173e9bd0c5d1e7e4bb3bd6de424e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"178108a8_9d525d6b","updated":"2023-04-21 19:17:09.000000000","message":"Also don\u0027t agree that the documentation","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"745fc59b738f214c805009b04247c6941485ecb9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9774d41e_53cb4e17","updated":"2023-04-24 13:30:39.000000000","message":"I agree with the -1s and propose to go the other direction, have a default value of much less than 3m for client certs and at most 1y for the CA. If deployers are aware of the risks and willing to take them, they can choose to override with longer values. But likely they would be better off if they prepare for CA key rotation and we should also mention that in our docs.","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"1088656cfb779ce017bf149bbf7607661e8a884d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"707eccdd_d4f6193a","updated":"2023-04-24 07:37:43.000000000","message":"I\u0027m not sure I trust a guide which recommends 20 years lifetime for any certs.\n\nmaybe fix the guide instead of the code?","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"f8a74095323dc949587daf9961b5164fd382ad0a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1081de39_77cfa8e9","updated":"2023-04-24 05:40:47.000000000","message":"The guide only mentions 20 years for a CA certificate","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"b2f4633a714d265f889fb9107ab182816a0916a3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"253d57be_9ef3db6b","updated":"2023-04-21 19:18:05.000000000","message":"is suggest, it show us and example (the bad security example)","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"9e0baa42ea1e8d93418aa75a34f1d19ae7a1ae30","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"17b23394_fa994ca0","in_reply_to":"1c6acaeb_79cea056","updated":"2023-04-24 13:57:56.000000000","message":"Well, I mainly mean client certificates - if they expire - I assume you loose connectivity to Amphora management wise...\nI agree that we should keep it short and simple, currently those variables can be overridden by some bomb squad lovers, but we also should have some docs around refreshing those certificates and what that means ;-)","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"221df190abbb1f5ab50496436c7f6ce242346ab0","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"28ff850c_a065ddaa","in_reply_to":"707eccdd_d4f6193a","updated":"2023-04-24 08:52:46.000000000","message":"for reference google proposes to encourage CAs to renew their keys every 5 years:\n\nhttps://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"10f201333d6e4d2aaa453fb5ab53fb422a3619d2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b11e45fe_7865d4e7","in_reply_to":"9774d41e_53cb4e17","updated":"2023-04-24 13:31:55.000000000","message":"I think the biggest issue is that it\u0027s problematic to monitor, and after generating a new certificate - all amphora\u0027s need to be failed over (so reprovisioned).","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"85ee4ec658c58621035065a1b53a2cd7a33c637b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1c6acaeb_79cea056","in_reply_to":"b11e45fe_7865d4e7","updated":"2023-04-24 13:47:49.000000000","message":"But that is only the case for the CA, not for client certificates, right?\n\nTo have a builtin time bomb to go off in 10 or 20 years isn\u0027t a good option anyway. If we come to the conclusion that changing a CA certificate is virtually impossily, we should indicate so by using some really absurdly high lifetime, like 999y or maybe 999999d?","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"}],"ansible/roles/octavia-certificates/defaults/main.yml":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0cf916f1610b173e9bd0c5d1e7e4bb3bd6de424e","unresolved":true,"context_lines":[{"line_number":35,"context_line":"octavia_certs_client_ca_common_name: client-ca.example.org"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"# Client certificate."},{"line_number":38,"context_line":"octavia_certs_client_expiry: 7300"},{"line_number":39,"context_line":"octavia_certs_client_req_country: \"{{ octavia_certs_country }}\""},{"line_number":40,"context_line":"octavia_certs_client_req_state: \"{{ octavia_certs_state }}\""},{"line_number":41,"context_line":"octavia_certs_client_req_organization: \"{{ octavia_certs_organization }}\""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1931e7fb_8195e515","line":38,"range":{"start_line":38,"start_character":29,"end_line":38,"end_character":33},"updated":"2023-04-21 19:17:09.000000000","message":"From September 1st 2020, SSL/TLS certificates can no longer be issued for a period exceeding 13 months (397 days). Technically this is possible, but can lead to the unpredictable issues.","commit_id":"949b883e37bebc4c6b2d5961a1d9aa7f7f065cb2"}]}
