Proposed impact description. Please check that only Folsom is affected. What's the name of the config option that does enable "always verify online" ? maybe I could mention it.
Description:
Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only setups making use of online verification of PKI tokens are affected.
-----------------------
Proposed impact description. Please check that only Folsom is affected. What's the name of the config option that does enable "always verify online" ? maybe I could mention it.
------- ------- ------- --
Title: Online validation of Keystone PKI tokens bypasses revocation check
Reporter: Guang Yee (HP)
Products: Keystone
Affects: Folsom
Description: ------- ------- --
Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only setups making use of online verification of PKI tokens are affected.
-------