[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 0037 Store issuser DN in certificate records



On Mon, Jun 15, 2015 at 02:52:17PM -0500, Endi Sukma Dewata wrote:
> On 6/11/2015 9:24 AM, Fraser Tweedale wrote:
> >This patch causes Issuer DN to be stored in certificate records
> >using existing (unused) 'issuerName' attribute schema.
> >
> >This will allow me to change sub-CAs implementation to a shared
> >certificate repo which means I don't have to worry about range
> >management anymore :)  But I think it is a sensible change in its
> >own right.
> >
> >UI / CLI filters for issuer can come later - there's a TODO for that
> >on my tracking etherpad[1] and I will file a ticket later.
> >
> >[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> >
> >Cheers,
> >Fraser
> 
> The patch itself looks good, but we also need to consider the existing
> certificate records in the database that do not have the issuerName. Two
> possibilities:
> 
> 1. Add issuerName into all existing certificate records using a database
> upgrade script.
> 
> 2. Maintain two types of certs such that:
> * Certs issued by the main CA (and standalone sub CA) will continue to have
> empty issuerName.
> * Certs issued by the light-weight sub CA will have non-empty issuerName.
> 
> Any preference?
> 
> -- 
> Endi S. Dewata

I previously discussed option (2) with Ade, but on reflection I
think an upgrade script is the way to go - the better to have only
the only case to handle elsewhere.  I will write the upgrade script.

Thanks,
Fraser


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]