[Pki-devel] [PATCH] 0037-2, 0053 ensure correct CRL contents for host CA
Fraser Tweedale
ftweedal at redhat.com
Wed Oct 21 03:08:12 UTC 2015
On Tue, Oct 20, 2015 at 03:59:16PM -0400, Ade Lee wrote:
> ACK on 37-2 - and yes, we need an upgrade script for this.
>
Thanks.
> For 53, I have some questions ..
>
> If, prior to the code that creates issuerFilter, filter is blank,
> then with your code, we will end up with:
>
> filter = (&(issuer_filter))
>
> which is a filter with an and-operator and only one and-clause.
> As far as I know, that won't work.
>
Well spotted. It works just fine. (&...) and (|...) work with 1..n
clauses.
Did you have other feedback re 53?
Cheers,
Fraser
> Ade
>
> On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
> > The attached patches fix https://fedorahosted.org/pki/ticket/1626.
> >
> > 0037-2: earlier patch to store issuer DN in certificate entries,
> > updated to add indices for the 'issuerName' attribute.
> >
> > 0053: updates the filter used by CRLIP to find certs to include in
> > CRL.
> >
> > Note the following limitations:
> >
> > 1. No database update in relation to issuerName attribute and
> > indices. If people are otherwise satisfied with the patch, I will
> > file a ticket for the database upgrade aspect.
> >
> > 2. There is no way to define CRLIP for a lightweight CA. There is a
> > separate ticket for this: https://fedorahosted.org/pki/ticket/1626
> > (currently not a priority).
> >
> > Cheers,
> > Fraser
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list