[Pki-devel] [PATCH] DRM Transport Key Rotation
Ade Lee
alee at redhat.com
Fri Sep 27 17:11:55 UTC 2013
Just a few comments/ questions so I can understand the patch better.
1. In CAEnrollProfile, you update the request queue only if the
transport cert is invalid. Why do we need to do this? Or why do we not
need to do this in all cases here?
2. In EnrollProfile.java, you get the transport cert from
ca.connector.KRA.transportCert. Is it possible to have more than one CA
connected? Is that parameter always the correct one to use?
3. In EnrollmentService.java, you read the transport cert attribute in
the request, and throw an exception of it is not present (basically
tcert == null). This will presumably occur if you receive an escrow
request from an older CA, right? How are we handling this case?
4. Incidentally,
transportCert != null && transportCert.length() > 0
can be replaced with ! StringUtils.isEmpty(transportCert)
Same thing in a couple other places.
5. Why do you return true in KRAService.java (serviceRequest) instead of
false?
Ade
On Wed, 2013-09-25 at 16:59 -0700, Andrew Wnuk wrote:
> This patch provides basic support for DRM transport key rotation
> described
> in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>
> This patch provides implementation for tickets:
> - 729 - CA to include transport certificate when submitting
> archival request to DRM
> - 730 - DRM to detect presence of transport certificate attribute
> in submitted archival
> request and validate transport certificate against DRM's
> transport key list
> - 731 - DRM to provide handling for alternative transport key
> based on detected
> and validated transport certificate arriving as a part of
> extended archival request
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list