[Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch

Endi Sukma Dewata edewata at redhat.com
Fri Jul 15 03:45:55 UTC 2016 

On 7/12/2016 8:27 PM, Christina Fu wrote:
> man page for AuditVerify
>
> https://fedorahosted.org/pki/ticket/2246

Some comments/questions:

1. I think the -P option would unlikely be used. Can we remove this 
option in the future?

2. In the description for the -a option, there's a missing space before 
the left parenthesis:

   ... paths(in chronological order) ...

3. Do we assume the auditor to have an access to the machine running the 
PKI server? Does the auditor have a read access to the files in the 
instance folder?

4. Normally the server does not export the system certificate into 
files, so the admin has to do that before the auditor can import the 
file with this command:

   certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t
   "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt

I think we should replace the path with "-i cacert.txt". Here we're 
assuming the auditor already has the certificate file.

5. Similarly, the path to the audit certificate file should be replaced 
with "-i logsigncert.txt":

   certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t
   ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt

6. There should be a space before the -t in #5.

7. The following phrase assumes the auditor has a write access to 
/etc/audit, is that the case? Or do we expect someone else to prepare 
the file for the auditor?

   ... this file could be logListFile in the /etc/audit directory ...

8. The database path in the description does not match the command:

   ... in the user home directory, such as /home/smith/.mozilla, ...

   AuditVerify -d ~jsmith/auitVerifyDir ...

9. The "auditVerifyDir" is misspelled in #8.

10. When viewed using the man tool, the quotes surrounding 
"auditsigningcert" disappear causing an extra space before the comma:

   ... and the signing certificate nickname is auditsigningcert , ...

11. The "auditsigningcert" nickname is inconsistent with the "Log 
Signing Certificate" used in #5.

12. The explanation for the verification failure in the following ticket 
is not included yet:
https://fedorahosted.org/pki/ticket/2217

Is it going to be added in a separate patch?

-- 
Endi S. Dewata

More information about the Pki-devel mailing list