Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Hi Christina,
Following up on your request for further testing, see below.
On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
Fraser,
Good catch!
I'm wondering why it was disabled. Could there be a reason? Fraser, if you
have not done so, may I trouble you to take one more step in the testing and
see if you can
1. verify the CRLs generated after the enabling of AKI indeed has the
extension
The extension is present.
2. the CRL is accepted by the OCSP
The OCSP responder works fine with the CRLs when the AKI extension
has been enabled.
3. test FF cert verification with both CRL and OCSP
Firefox OCSP check works fine. I'm not sure how to test the CRL in
Firefox. Advice?
Regarding upgrade script, I'll say yes if possible. But we
should try to
conform to the existing upgrade mechanisms/decision.
Patch will be out shortly.
Cheers,
Fraser
thanks,
Christina
On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
>This patch enables the Authority Key Identifier CRL Extension, which
>is REQUIRED by RFC 5280, by default.
>
>Should existing instances be left alone or should I also look at an
>upgrade script that offers to upgrade CS.cfg to be conformant?
>
>Fraser
>
>
>_______________________________________________
>Pki-devel mailing list
>Pki-devel(a)redhat.com
>https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel