1:45 p.m.
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user
to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will
be made.
4:01 p.m.
New subject: Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Actually attach the patch.
----- Forwarded Message -----
From: "John Magne" <jmagne(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Friday, October 7, 2016 11:45:17 AM
Subject: [pli-devel][PATCH]
0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user
to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will
be made.
7:06 p.m.
New subject: Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Code looks good. One suggestion. Since we have to appease to the
current NSS way of looking up certs, how about making the default true
so that it will keep the old encryption certs by default?
Of course we are taking up more space now on the token when it's true,
so we should plan to revert it when/if NSS changes.
conditional ACK if you do that.
Christina
On 10/07/2016 02:01 PM, John Magne wrote:
Actually attach the patch.
----- Forwarded Message -----
From: "John Magne" <jmagne(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Friday, October 7, 2016 11:45:17 AM
Subject: [pli-devel][PATCH]
0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a
user to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt
will be made.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
8:12 p.m.
New subject: Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
ACKED by cfu and she verbally acked a quick additon to eh fix for #1664
Pushed to master.
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Friday, October 7, 2016 5:06:51 PM
Subject: Re: [Pki-devel] Fwd: [pli-devel][PATCH]
0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Code looks good. One suggestion. Since we have to appease to the current NSS way of
looking up certs, how about making the default true so that it will keep the old
encryption certs by default?
Of course we are taking up more space now on the token when it's true, so we should
plan to revert it when/if NSS changes.
conditional ACK if you do that.
Christina
On 10/07/2016 02:01 PM, John Magne wrote:
Actually attach the patch.
----- Forwarded Message -----
From: "John Magne" <jmagne(a)redhat.com> To: "pki-devel"
<pki-devel(a)redhat.com> Sent: Friday, October 7, 2016 11:45:17 AM
Subject: [pli-devel][PATCH]
0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
This bug was previously not completely fixed where we left a loophole to allow a user
to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read an encrypted email using renewed tokens. #2483
This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.
An example is:
RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES
The second part of the policy is new.
When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will
be made.
_______________________________________________
Pki-devel mailing list Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
2995
days inactive
2999
days old
3 comments
2 participants
participants (2)
-
Christina Fu -
John Magne