[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Fraser Tweedale
ftweedal at redhat.com
Wed Dec 17 02:36:39 UTC 2014
Hi Christina,
Following up on your request for further testing, see below.
On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
> Fraser,
>
> Good catch!
>
> I'm wondering why it was disabled. Could there be a reason? Fraser, if you
> have not done so, may I trouble you to take one more step in the testing and
> see if you can
> 1. verify the CRLs generated after the enabling of AKI indeed has the
> extension
>
The extension is present.
> 2. the CRL is accepted by the OCSP
>
The OCSP responder works fine with the CRLs when the AKI extension
has been enabled.
> 3. test FF cert verification with both CRL and OCSP
>
Firefox OCSP check works fine. I'm not sure how to test the CRL in
Firefox. Advice?
> Regarding upgrade script, I'll say yes if possible. But we should try to
> conform to the existing upgrade mechanisms/decision.
>
Patch will be out shortly.
Cheers,
Fraser
> thanks,
> Christina
>
> On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
> >This patch enables the Authority Key Identifier CRL Extension, which
> >is REQUIRED by RFC 5280, by default.
> >
> >Should existing instances be left alone or should I also look at an
> >upgrade script that offers to upgrade CS.cfg to be conformant?
> >
> >Fraser
> >
> >
> >_______________________________________________
> >Pki-devel mailing list
> >Pki-devel at redhat.com
> >https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list