[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Christina Fu
cfu at redhat.com
Wed Dec 17 18:13:04 UTC 2014
Hi Fraser,
Regarding CRL, I found the following:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoDiCU4JM
So I think we can just forget it then, unless you want to install old FF
to try.
You have an ACK on this patch now.
About upgrade, I can see that you are on the right path there with the
upgrade script, and it looks to do the thing, but since I don't have
much experience with Python, could you please ask Endi to take a closer
look?
thanks!
Christina
On 12/16/2014 06:36 PM, Fraser Tweedale wrote:
> Hi Christina,
>
> Following up on your request for further testing, see below.
>
> On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
>> Fraser,
>>
>> Good catch!
>>
>> I'm wondering why it was disabled. Could there be a reason? Fraser, if you
>> have not done so, may I trouble you to take one more step in the testing and
>> see if you can
>> 1. verify the CRLs generated after the enabling of AKI indeed has the
>> extension
>>
> The extension is present.
>
>> 2. the CRL is accepted by the OCSP
>>
> The OCSP responder works fine with the CRLs when the AKI extension
> has been enabled.
>
>> 3. test FF cert verification with both CRL and OCSP
>>
> Firefox OCSP check works fine. I'm not sure how to test the CRL in
> Firefox. Advice?
>
>> Regarding upgrade script, I'll say yes if possible. But we should try to
>> conform to the existing upgrade mechanisms/decision.
>>
> Patch will be out shortly.
>
> Cheers,
>
> Fraser
>
>> thanks,
>> Christina
>>
>> On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
>>> This patch enables the Authority Key Identifier CRL Extension, which
>>> is REQUIRED by RFC 5280, by default.
>>>
>>> Should existing instances be left alone or should I also look at an
>>> upgrade script that offers to upgrade CS.cfg to be conformant?
>>>
>>> Fraser
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list