[Pki-devel] [PATCH] 0037-2, 0053 ensure correct CRL contents for host CA
Ade Lee
alee at redhat.com
Wed Oct 21 03:24:13 UTC 2015
Nope -- if it works just fine, then ACK.
On Wed, 2015-10-21 at 13:08 +1000, Fraser Tweedale wrote:
> On Tue, Oct 20, 2015 at 03:59:16PM -0400, Ade Lee wrote:
> > ACK on 37-2 - and yes, we need an upgrade script for this.
> >
> Thanks.
>
> > For 53, I have some questions ..
> >
> > If, prior to the code that creates issuerFilter, filter is blank,
> > then with your code, we will end up with:
> >
> > filter = (&(issuer_filter))
> >
> > which is a filter with an and-operator and only one and-clause.
> > As far as I know, that won't work.
> >
> Well spotted. It works just fine. (&...) and (|...) work with 1..n
> clauses.
>
> Did you have other feedback re 53?
>
> Cheers,
> Fraser
>
> > Ade
> >
> > On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
> > > The attached patches fix https://fedorahosted.org/pki/ticket/1626
> > > .
> > >
> > > 0037-2: earlier patch to store issuer DN in certificate entries,
> > > updated to add indices for the 'issuerName' attribute.
> > >
> > > 0053: updates the filter used by CRLIP to find certs to include
> > > in
> > > CRL.
> > >
> > > Note the following limitations:
> > >
> > > 1. No database update in relation to issuerName attribute and
> > > indices. If people are otherwise satisfied with the patch, I
> > > will
> > > file a ticket for the database upgrade aspect.
> > >
> > > 2. There is no way to define CRLIP for a lightweight CA. There
> > > is a
> > > separate ticket for this:
> > > https://fedorahosted.org/pki/ticket/1626
> > > (currently not a priority).
> > >
> > > Cheers,
> > > Fraser
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list