[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Fraser Tweedale
ftweedal at redhat.com
Fri Oct 31 05:17:16 UTC 2014
On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
> Fraser,
>
> Good catch!
>
> I'm wondering why it was disabled. Could there be a reason? Fraser, if you
> have not done so, may I trouble you to take one more step in the testing and
> see if you can
> 1. verify the CRLs generated after the enabling of AKI indeed has the
> extension
> 2. the CRL is accepted by the OCSP
> 3. test FF cert verification with both CRL and OCSP
>
> Regarding upgrade script, I'll say yes if possible. But we should try to
> conform to the existing upgrade mechanisms/decision.
>
> thanks,
> Christina
>
The AKI extension being disabled predates the git repo (March 2008).
If there is a reason, only someone who's been around a while will
know it :)
I'll do some more testing of those scenarios and write an upgrade
script.
Thanks,
Fraser
> On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
> >This patch enables the Authority Key Identifier CRL Extension, which
> >is REQUIRED by RFC 5280, by default.
> >
> >Should existing instances be left alone or should I also look at an
> >upgrade script that offers to upgrade CS.cfg to be conformant?
> >
> >Fraser
> >
> >
> >_______________________________________________
> >Pki-devel mailing list
> >Pki-devel at redhat.com
> >https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list