[PATCH] 564 Fixed problem with TPS profile status.
by Endi Sukma Dewata
The base class of ProfileDatabase (i.e. CSCfgDatabase) has been
modified to return the correct default value (i.e. Enabled) if the
status parameter doesn't exist. The TPSProcessor has been modified
to use ProfileDatabase, and other TPS codes have also been changed
to use constants instead of string literals to ensure consistency.
https://fedorahosted.org/pki/ticket/1270
--
Endi S. Dewata
9 years
assorted sub-CA use case questions
by Fraser Tweedale
Hi Christina,
The following questions emerged in recent discussions and work on
sub-CAs. Your responses will be helpful in working out what work is
needed, and when.
*OCSP signing*
Currently sub-CAs sign OCSP responses with the CA signing
certificate, rather than using the CA cert to sign an OCSP signing
cert and delegating OCSP signing to it.
Question : do you expect customers who use sub-CAs will want to be
able to choose whether sub-CAs have OCSP signing delegate? If so,
how fine-grained should the control be (instance-wide config,
per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
signing directly by CA acceptable for initial release of sub-CAs)?
*Sub-CA DNs*
There is currently no check that a sub-CA's DN is unique.
Question : should we enforce CA DN uniqueness within the Dogtag
instance?
*Sub-CA certificate profile*
Currently sub-CA certificates are created using the `caCert' profile
(the same profile that is used for the self-signed root
certificate).
Question : how much control over aspects of the sub-CA certificates
will customers need or want? (e.g. validity period,
pathLenConstraint, nonstandard extensions, etc). Is using the
`caCert' profile defaults fine for the initial release?
Look forward to your input.
Cheers,
Fraser
9 years
EMV CPS 1.1 support
by Javier Gallart
Hello
sorry for posting twice, but I think this is the proper list for this
question:
"we're working with G&D SmartCafe 3.2 cards and trying to integrate them
with Dogtag. They use the EMV CPS 1.1 key derivation protocol for obtaining
the session keys in a Secure Channel establishment (SCP02). Is the any plan
to include it in Dogtag?. If not, would a patch implementing it be
considered?"
Thanks in advance
Javi
9 years