Right now, the PA parses two different kinds of blocked names:
|
// HighRiskBlockedNames is a list of domain names: like ExactBlockedNames |
|
// except that issuance is blocked for subdomains as well. (e.g. |
|
// BlockedNames containing `example.com` will block `www.example.com`). |
|
// |
|
// This list typically doesn't change with much regularity. |
|
HighRiskBlockedNames []string `yaml:"HighRiskBlockedNames"` |
|
|
|
// AdminBlockedNames operates the same as HighRiskBlockedNames but is |
|
// changed with more frequency based on administrative blocks/revocations |
|
// that are added over time above and beyond the high-risk domains. Managing |
|
// these entries separately from HighRiskBlockedNames makes it easier to vet |
|
// changes accurately. |
|
AdminBlockedNames []string `yaml:"AdminBlockedNames"` |
But it treats them exactly the same:
|
nameMap := make(map[string]bool) |
|
for _, v := range policy.HighRiskBlockedNames { |
|
nameMap[v] = true |
|
} |
|
for _, v := range policy.AdminBlockedNames { |
|
nameMap[v] = true |
|
} |
And in fact, we have even more categories than that actually configured in prod; our list there is a concatenation of several other lists, maintained separately.
We should consider making this struct more general, so that it can natively support loading arbitrarily many different kinds of blocked names. However, the other categories that we load from the file (ExactBlockedNames, BlockedPrefixes) are semantically different, so this may be hard.
Right now, the PA parses two different kinds of blocked names:
boulder/policy/pa.go
Lines 59 to 71 in 1958cc9
But it treats them exactly the same:
boulder/policy/pa.go
Lines 106 to 112 in 1958cc9
And in fact, we have even more categories than that actually configured in prod; our list there is a concatenation of several other lists, maintained separately.
We should consider making this struct more general, so that it can natively support loading arbitrarily many different kinds of blocked names. However, the other categories that we load from the file (ExactBlockedNames, BlockedPrefixes) are semantically different, so this may be hard.