<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Per discussion with Ade and Endi on unrelated
audit-event-specific topic, we decide to not split events into
SUCCESS and FAILURE.</p>
<p>This updated patch un-split the events that I split prior to the
conversation/decision.</p>
<p>thanks,</p>
<p>Christina<br>
</p>
<br>
<div class="moz-cite-prefix">On 05/15/2017 06:29 PM, Christina Fu
wrote:<br>
</div>
<blockquote
cite="mid:e2f2265a-5e04-ae1d-f4ca-ea46ded08b19@redhat.com"
type="cite">(pague ticket is yet to be cloned)
<br>
<br>
Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed)
CMC with identity proof
<br>
<br>
This patch implements handling of the self-signed CMC requests,
where the request is signed by the public key of the underlying
request (PKCS#10 or CRMF). The scenario for when this method is
used is when there was no existing signing cert for the user has
been issued before, and once it is issued, it can be used to sign
subsequent cert requests by the same user.
<br>
<br>
The new enrollment profile introduced is :
caFullCMCSelfSignedCert.cfg
<br>
<br>
The new option introduced to both CRMFPopClient and PKCS10Client
is "-y" which will add the required SubjectKeyIdentifier to the
underlying request.
<br>
<br>
When a CMC request is self-signed, no auditSubjectID is available
until Identification Proof (v2) is verified, however, the cert
subject DN is recorded in log as soon as it was available for
additional information.
<br>
<br>
thanks!
<br>
<br>
Christina
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</body>
</html>