[Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch
Christina Fu
cfu at redhat.com
Fri Jul 15 18:04:59 UTC 2016
pushed per Endi's verbal conditional ack:
commit 078dfc1f01dea30800f19eed6df4ed547edffee3
thanks!!
Christina
On 07/14/2016 08:45 PM, Endi Sukma Dewata wrote:
> On 7/12/2016 8:27 PM, Christina Fu wrote:
>> man page for AuditVerify
>>
>> https://fedorahosted.org/pki/ticket/2246
>
> Some comments/questions:
>
> 1. I think the -P option would unlikely be used. Can we remove this
> option in the future?
>
> 2. In the description for the -a option, there's a missing space
> before the left parenthesis:
>
> ... paths(in chronological order) ...
>
> 3. Do we assume the auditor to have an access to the machine running
> the PKI server? Does the auditor have a read access to the files in
> the instance folder?
>
> 4. Normally the server does not export the system certificate into
> files, so the admin has to do that before the auditor can import the
> file with this command:
>
> certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t
> "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt
>
> I think we should replace the path with "-i cacert.txt". Here we're
> assuming the auditor already has the certificate file.
>
> 5. Similarly, the path to the audit certificate file should be
> replaced with "-i logsigncert.txt":
>
> certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t
> ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt
>
> 6. There should be a space before the -t in #5.
>
> 7. The following phrase assumes the auditor has a write access to
> /etc/audit, is that the case? Or do we expect someone else to prepare
> the file for the auditor?
>
> ... this file could be logListFile in the /etc/audit directory ...
>
> 8. The database path in the description does not match the command:
>
> ... in the user home directory, such as /home/smith/.mozilla, ...
>
> AuditVerify -d ~jsmith/auitVerifyDir ...
>
> 9. The "auditVerifyDir" is misspelled in #8.
>
> 10. When viewed using the man tool, the quotes surrounding
> "auditsigningcert" disappear causing an extra space before the comma:
>
> ... and the signing certificate nickname is auditsigningcert , ...
>
> 11. The "auditsigningcert" nickname is inconsistent with the "Log
> Signing Certificate" used in #5.
>
> 12. The explanation for the verification failure in the following
> ticket is not included yet:
> https://fedorahosted.org/pki/ticket/2217
>
> Is it going to be added in a separate patch?
>
More information about the Pki-devel
mailing list