hamlet icon indicating copy to clipboard operation
hamlet copied to clipboard
verified publisher icon vmware

Make SAN optional and move it to Instance

Open sergiopozoh opened this issue 4 years ago • 2 comments

Proposed changes

  • SAN must be made optional. It is also worth considering if we should move it to Instance, as right now is at the FederatedService level.

Reasons

  • Now that Hamlet supports cleartext protocols, but SAN is still mandatory.

Alternatives

  • Leave SAN in FederatedService. Feels unnatural. But even though, the implementor agent can always fill the array with all the valid SANs. How to select the right one for each Instance would be the challenge (assuming each Instance has its own cert with a single value SAN).
  • Put SAN in Instance. We are assuming that each Instance will present its own certificate with a single value in the SAN. Maybe this is the right thing to do, given that SNI is already at the Instance. Maybe all instances present the same certificate with a multi-value SAN.

sergiopozoh avatar Mar 05 '21 19:03 sergiopozoh

@dkalani @venilnoronha thoughts?

sergiopozoh avatar Mar 05 '21 19:03 sergiopozoh

SAN is already optional in the spec document, it's only the protobuf comment what must be changed

sergiopozoh avatar Apr 05 '21 23:04 sergiopozoh