Conversation
…ze/revocation_url Three classes of issues fixed uniformly across all four language implementations. Stale stub comments All five verifier stubs (Go, TS SDK, TS HTTP, Rust, Java) described the old revocation design: 'spec defines revocation by index range' and 'GET /revoked format not yet defined'. Both were accurate before PR #26; both are wrong now. Updated to reference SPEC.md §Revocation (Bloom filter cascade, fully specified), point to revocationUrl in the trust config, and direct readers to issue #14. Fail-open hardcoded as default All five stubs passed ok=true to the revocation trace step, recording the revocation check as passed unconditionally — the fail-open pattern, hardcoded, with no warning. SPEC.md §Revocation explicitly prohibits this: fail-open must require explicit configuration, must surface in the trace as a warning, and must not be the default. All five stubs now pass ok=false with the message 'not implemented — stub only, revocation not checked'. This is the correct fail-closed-by-default posture for a documented stub. batch_size hardcoded (Go, TypeScript, Rust) The trust config JSON carries a batch_size field so deployments with non-default batch sizes do not require code changes. Go, TypeScript SDK, and Rust all had const BATCH_SIZE = 16 ignoring the trust config value. Java already read it. Fixed: - Go: TrustAnchor gains BatchSize int field; loadTrustConfigFromBytes reads and stores it (default 16 if absent or zero); Verify() uses anchor.BatchSize - TypeScript SDK: TrustConfig interface gains batchSize: number; fromJSON reads it from raw.batch_size (default 16); verifier uses this.trust.batchSize - Rust: TrustConfig gains batch_size: usize; TrustConfigJSON gains #[serde(default)] batch_size: Option<usize>; from_json sets default 16; verifier uses self.trust.batch_size revocation_url added to trust structs (Go, TypeScript, Rust) The trust config JSON has had revocation_url since PR #26. All four runtime trust structs (Go TrustAnchor, TS TrustConfig, Rust TrustConfig, Java TrustConfig) now carry the field and populate it from the JSON. Go verifier stub TODO already referenced anchor.RevocationURL before this change; now the field actually exists. ARCHITECTURE.md 'revocation range keys' → 'revocation cache keys' (stale phrase from the index-range design)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three classes of issues found during review of old revocation artifacts, fail-open behavior, and hardcoded values. All fixed uniformly across all four language implementations.
Stale stub comments — Five verifier stubs described the old design ('revocation by index range', 'GET /revoked format not defined'). Both wrong since PR #26. Updated to reference SPEC.md §Revocation and issue #14.
Fail-open hardcoded — All five stubs passed
ok=trueto the revocation trace step, recording revocation as passed unconditionally. SPEC.md explicitly prohibits this. All five now passok=falsewith 'stub only, revocation not checked' — correct fail-closed-by-default posture.batch_size hardcoded (Go, TypeScript, Rust) — Trust config carries
batch_sizeso deployments with non-default sizes don't need code changes. Go/TS/Rust all hadconst BATCH_SIZE = 16ignoring it. Java already read it. All four runtime trust structs now read from the trust config JSON.revocation_url added to trust structs (Go, TypeScript, Rust) — Field was in the JSON since PR #26 but not in the runtime structs. Fixed.
ARCHITECTURE.md — 'revocation range keys' → 'revocation cache keys'.