<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Fraser,<br>
<br>
Good catch!<br>
<br>
I'm wondering why it was disabled. Could there be a reason?
Fraser, if you have not done so, may I trouble you to take one more
step in the testing and see if you can<br>
1. verify the CRLs generated after the enabling of AKI indeed has
the extension<br>
2. the CRL is accepted by the OCSP<br>
3. test FF cert verification with both CRL and OCSP<br>
<br>
Regarding upgrade script, I'll say yes if possible. But we should
try to conform to the existing upgrade mechanisms/decision.<br>
<br>
thanks,<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 10/29/2014 11:09 PM, Fraser Tweedale
wrote:<br>
</div>
<blockquote
cite="mid:20141030060943.GY21514@dhcp-40-8.bne.redhat.com"
type="cite">
<pre wrap="">This patch enables the Authority Key Identifier CRL Extension, which
is REQUIRED by RFC 5280, by default.
Should existing instances be left alone or should I also look at an
upgrade script that offers to upgrade CS.cfg to be conformant?
Fraser
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>