e744336385
C-6: ConnectorRuntime enforces capability_mask per operation.
READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.
H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.
Signed-off-by: Tyler King <tking@guildhouse.dev>
20 lines
989 B
Text
20 lines
989 B
Text
This package contains a modified version of ca-bundle.crt:
|
|
|
|
ca-bundle.crt -- Bundle of CA Root Certificates
|
|
|
|
This is a bundle of X.509 certificates of public Certificate Authorities
|
|
(CA). These were automatically extracted from Mozilla's root certificates
|
|
file (certdata.txt). This file can be found in the mozilla source tree:
|
|
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
|
|
It contains the certificates in PEM format and therefore
|
|
can be directly used with curl / libcurl / php_curl, or with
|
|
an Apache+mod_ssl webserver for SSL client authentication.
|
|
Just configure this file as the SSLCACertificateFile.#
|
|
|
|
***** BEGIN LICENSE BLOCK *****
|
|
This Source Code Form is subject to the terms of the Mozilla Public License,
|
|
v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
|
|
one at http://mozilla.org/MPL/2.0/.
|
|
|
|
***** END LICENSE BLOCK *****
|
|
@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $
|