Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension

Hi Christina, Following up on your request for further testing, see below. On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote: > Fraser, > > Good catch! > > I'm wondering why it was disabled. Could there be a reason? Fraser, if you > have not done so, may I trouble you to take one more step in the testing and > see if you can > 1. verify the CRLs generated after the enabling of AKI indeed has the > extension > The extension is present. > 2. the CRL is accepted by the OCSP > The OCSP responder works fine with the CRLs when the AKI extension has been enabled. > 3. test FF cert verification with both CRL and OCSP > Firefox OCSP check works fine. I'm not sure how to test the CRL in Firefox. Advice? > Regarding upgrade script, I'll say yes if possible. But we should try to > conform to the existing upgrade mechanisms/decision. > Patch will be out shortly. Cheers, Fraser > thanks, > Christina > > On 10/29/2014 11:09 PM, Fraser Tweedale wrote: >> This patch enables the Authority Key Identifier CRL Extension, which >> is REQUIRED by RFC 5280, by default. >> >> Should existing instances be left alone or should I also look at an >> upgrade script that offers to upgrade CS.cfg to be conformant? >> >> Fraser >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel