Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
Fraser,
Good catch!
I'm wondering why it was disabled. Could there be a reason? Fraser, if you
have not done so, may I trouble you to take one more step in the testing and
see if you can
1. verify the CRLs generated after the enabling of AKI indeed has the
extension
2. the CRL is accepted by the OCSP
3. test FF cert verification with both CRL and OCSP
Regarding upgrade script, I'll say yes if possible. But we should try to
conform to the existing upgrade mechanisms/decision.
thanks,
Christina
The AKI extension being disabled predates the git repo (March 2008).
If there is a reason, only someone who's been around a while will
know it :)
I'll do some more testing of those scenarios and write an upgrade
script.
Thanks,
Fraser
On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
>This patch enables the Authority Key Identifier CRL Extension, which
>is REQUIRED by RFC 5280, by default.
>
>Should existing instances be left alone or should I also look at an
>upgrade script that offers to upgrade CS.cfg to be conformant?
>
>Fraser
>
>
>_______________________________________________
>Pki-devel mailing list
>Pki-devel(a)redhat.com
>https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel