[Pki-devel] [Freeipa-devel] Design review request: RFC 2818 certificate compliance
Fraser Tweedale
ftweedal at redhat.com
Tue Mar 15 00:32:08 UTC 2016
On Tue, Mar 15, 2016 at 07:59:57AM +1000, Fraser Tweedale wrote:
> On Mon, Mar 14, 2016 at 09:29:37AM -0700, Christina Fu wrote:
> >
> >
> > On 03/12/2016 11:51 PM, Fraser Tweedale wrote:
> > >On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote:
> > >>Hi Fraser,
> > >>
> > >>I think the general idea looks good. If tested to work, I actually think
> > >>you should have it replace the current caServerCert.cfg and make it the
> > >>default server cert profile for Dogtag. So I'd suggest you name things more
> > >>generically.
> > >>
> > >Thanks Christina for the feedback. W.r.t naming, can you clarify
> > >what you think should be more generic and why?
> > Actually it was more of a preemptive comment that was not specifically
> > directed towards anything in your current design.
> > I just took a closer look, and I think your new profile plugin name
> > (|SubjectAltNameCopyCNDefault|) sounds good.
> >
> > About replacing existing caServerCert.cfg, consider keeping it, but
> > 1. name the new profile something like caServerSANCert.cfg
> > 2. make caServerSANCert.cfg default (enable it), and disable
> > caServerCert.cfg by default
> >
> > Anyway, you get the idea. The point is that I think we should fundamentally
> > adhere to the standard in Dogtag, so such a fix should be part of the Dogtag
> > default.
> >
> > thanks,
> > Christina
> >
> Understood; thanks. I'll file a ticket for the Dogtag profile
> change.
>
As promised: https://fedorahosted.org/pki/ticket/2233 replace
caServerCert profile with one that issues RFC 2818-compliant certs
Cheers,
Fraser
More information about the Pki-devel
mailing list