Re: [Pki-devel] [PATCH] DRM Transport Key Rotation
Just a few comments/ questions so I can understand the patch better.
1. In CAEnrollProfile, you update the request queue only if the
transport cert is invalid. Why do we need to do this? Or why do we not
need to do this in all cases here?
2. In EnrollProfile.java, you get the transport cert from
ca.connector.KRA.transportCert. Is it possible to have more than one CA
connected? Is that parameter always the correct one to use?
3. In EnrollmentService.java, you read the transport cert attribute in
the request, and throw an exception of it is not present (basically
tcert == null). This will presumably occur if you receive an escrow
request from an older CA, right? How are we handling this case?
4. Incidentally,
transportCert != null && transportCert.length() > 0
can be replaced with ! StringUtils.isEmpty(transportCert)
Same thing in a couple other places.
5. Why do you return true in KRAService.java (serviceRequest) instead of
false?
Ade
On Wed, 2013-09-25 at 16:59 -0700, Andrew Wnuk wrote:
This patch provides basic support for DRM transport key rotation
described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting
archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute
in submitted archival
request and validate transport certificate against DRM's
transport key list
- 731 - DRM to provide handling for alternative transport key
based on detected
and validated transport certificate arriving as a part of
extended archival request
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel