[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension

Fraser Tweedale ftweedal at redhat.com
Thu Dec 18 00:59:49 UTC 2014


On Wed, Dec 17, 2014 at 10:13:04AM -0800, Christina Fu wrote:
> Hi Fraser,
> Regarding CRL, I found the following:
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoDiCU4JM
> So I think we can just forget it then, unless you want to install old FF to
> try.
> You have an ACK on this patch now.
> 
> About upgrade,  I can see that you are on the right path there with the
> upgrade script, and it looks to do the thing, but since I don't have much
> experience with Python, could you please ask Endi to take a closer look?
> 
Thanks Christina.

Endi, any comments on upgrade script?

Currently if you opt out of an upgrade step it aborts the whole
process.  I think there could be scope for marking upgrade steps as
optional so that the process doesn't bail out, but I haven't
addressed that in the patch - wanted to solicit feedback first.

Cheers,

Fraser

> thanks!
> Christina
> 
> On 12/16/2014 06:36 PM, Fraser Tweedale wrote:
> >Hi Christina,
> >
> >Following up on your request for further testing, see below.
> >
> >On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
> >>Fraser,
> >>
> >>Good catch!
> >>
> >>I'm wondering why it was disabled.  Could there be a reason? Fraser, if you
> >>have not done so, may I trouble you to take one more step in the testing and
> >>see if you can
> >>1. verify the CRLs generated after the enabling of AKI indeed has the
> >>extension
> >>
> >The extension is present.
> >
> >>2. the CRL is accepted by the OCSP
> >>
> >The OCSP responder works fine with the CRLs when the AKI extension
> >has been enabled.
> >
> >>3. test FF cert verification with both CRL and OCSP
> >>
> >Firefox OCSP check works fine.  I'm not sure how to test the CRL in
> >Firefox.  Advice?
> >
> >>Regarding upgrade script, I'll say yes if possible.  But we should try to
> >>conform to the existing upgrade mechanisms/decision.
> >>
> >Patch will be out shortly.
> >
> >Cheers,
> >
> >Fraser
> >
> >>thanks,
> >>Christina
> >>
> >>On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
> >>>This patch enables the Authority Key Identifier CRL Extension, which
> >>>is REQUIRED by RFC 5280, by default.
> >>>
> >>>Should existing instances be left alone or should I also look at an
> >>>upgrade script that offers to upgrade CS.cfg to be conformant?
> >>>
> >>>Fraser
> >>>
> >>>
> >>>_______________________________________________
> >>>Pki-devel mailing list
> >>>Pki-devel at redhat.com
> >>>https://www.redhat.com/mailman/listinfo/pki-devel
> >>_______________________________________________
> >>Pki-devel mailing list
> >>Pki-devel at redhat.com
> >>https://www.redhat.com/mailman/listinfo/pki-devel
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




More information about the Pki-devel mailing list