Add RevokeAuthorizations func to the SA gRPC service.#8799
Draft
ezekiel wants to merge 1 commit into
Draft
Conversation
aarongable
reviewed
Jun 18, 2026
| rpc AddRateLimitOverride(AddRateLimitOverrideRequest) returns (AddRateLimitOverrideResponse) {} | ||
| rpc DisableRateLimitOverride(DisableRateLimitOverrideRequest) returns (google.protobuf.Empty) {} | ||
| rpc EnableRateLimitOverride(EnableRateLimitOverrideRequest) returns (google.protobuf.Empty) {} | ||
| rpc RevokeAuthorization(AuthorizationID2) returns (google.protobuf.Empty) {} |
Contributor
There was a problem hiding this comment.
Thinking out loud:
The reason that DeactivateAuthorization operates on a single authz (takes a single authzID as its input) is that this code path is initiated by the subscriber. The ACME API exposes a way to deactivate one authz at a time, so the code path all the way through the RA and SA does the same.
But revoking authzs will likely be a bulk operation. We only have two scenarios in which we want to revoke authzs:
- During an incident, to prevent further issuance via reuse of previous (presumably non-compliant) authorizations. This would either be a bulk revocation of all authzs prior to a specific time, or a bulk revocation of all authzs from a large list of IDs extracted from logs.
- During revocation of a cert, as this PR is building towards. In this case, we're revoking all authzs for a specific regID+identifier pair.
So maybe it makes more sense for this to be
rpc RevokeAuthorizationsFor(RevokeAuthorizationsForRequest) returns (google.protobuf.Empty) {}
message RevokeAuthorizationsForRequest {
int64 registrationID = 1;
core.Identifier identifier = 2;
}
Member
Author
There was a problem hiding this comment.
Very helpful thoughts, thank you!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.