[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension

Christina Fu cfu at redhat.com
Wed Dec 17 18:13:04 UTC 2014 

Hi Fraser,
Regarding CRL, I found the following:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoDiCU4JM
So I think we can just forget it then, unless you want to install old FF 
to try.
You have an ACK on this patch now.

About upgrade,  I can see that you are on the right path there with the 
upgrade script, and it looks to do the thing, but since I don't have 
much experience with Python, could you please ask Endi to take a closer 
look?

thanks!
Christina

On 12/16/2014 06:36 PM, Fraser Tweedale wrote:
> Hi Christina,
>
> Following up on your request for further testing, see below.
>
> On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
>> Fraser,
>>
>> Good catch!
>>
>> I'm wondering why it was disabled.  Could there be a reason? Fraser, if you
>> have not done so, may I trouble you to take one more step in the testing and
>> see if you can
>> 1. verify the CRLs generated after the enabling of AKI indeed has the
>> extension
>>
> The extension is present.
>
>> 2. the CRL is accepted by the OCSP
>>
> The OCSP responder works fine with the CRLs when the AKI extension
> has been enabled.
>
>> 3. test FF cert verification with both CRL and OCSP
>>
> Firefox OCSP check works fine.  I'm not sure how to test the CRL in
> Firefox.  Advice?
>
>> Regarding upgrade script, I'll say yes if possible.  But we should try to
>> conform to the existing upgrade mechanisms/decision.
>>
> Patch will be out shortly.
>
> Cheers,
>
> Fraser
>
>> thanks,
>> Christina
>>
>> On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
>>> This patch enables the Authority Key Identifier CRL Extension, which
>>> is REQUIRED by RFC 5280, by default.
>>>
>>> Should existing instances be left alone or should I also look at an
>>> upgrade script that offers to upgrade CS.cfg to be conformant?
>>>
>>> Fraser
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list