[Pki-devel] [PATCH] 202 Session-based nonces.
Ade Lee
alee at redhat.com
Mon Feb 4 16:56:34 UTC 2013
OK - I did not see that code in the original validateNonce() function.
ACK
On Mon, 2013-02-04 at 10:24 -0600, Endi Sukma Dewata wrote:
> On 2/4/2013 9:49 AM, Ade Lee wrote:
> > Looks pretty good to me.
> >
> > Question:
> > 1. What is the purpose of the isMemberOfSubsystemGroup() method, and why
> > do we need it?
>
> The original code checks whether the user specified in the client
> certificate belongs to the "Subsystem Group". If it does, the code will
> skip nonce verification. I suppose this is used by internal PKI
> operations which do not require 2-step processes using nonces.
>
> The isMemberOfSubsystemGroup() is a method that encapsulates the above
> logic, and it's created to separate the logic from nonce validation
> which should not be dependent on client certificates.
>
> --
> Endi S. Dewata
More information about the Pki-devel
mailing list