Re: [Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch

On 7/12/2016 8:27 PM, Christina Fu wrote: Some comments/questions: 1. I think the -P option would unlikely be used. Can we remove this option in the future? 2. In the description for the -a option, there's a missing space before the left parenthesis: ... paths(in chronological order) ... 3. Do we assume the auditor to have an access to the machine running the PKI server? Does the auditor have a read access to the files in the instance folder? 4. Normally the server does not export the system certificate into files, so the admin has to do that before the auditor can import the file with this command: certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt I think we should replace the path with "-i cacert.txt". Here we're assuming the auditor already has the certificate file. 5. Similarly, the path to the audit certificate file should be replaced with "-i logsigncert.txt": certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt 6. There should be a space before the -t in #5. 7. The following phrase assumes the auditor has a write access to /etc/audit, is that the case? Or do we expect someone else to prepare the file for the auditor? ... this file could be logListFile in the /etc/audit directory ... 8. The database path in the description does not match the command: ... in the user home directory, such as /home/smith/.mozilla, ... AuditVerify -d ~jsmith/auitVerifyDir ... 9. The "auditVerifyDir" is misspelled in #8. 10. When viewed using the man tool, the quotes surrounding "auditsigningcert" disappear causing an extra space before the comma: ... and the signing certificate nickname is auditsigningcert , ... 11. The "auditsigningcert" nickname is inconsistent with the "Log Signing Certificate" used in #5. 12. The explanation for the verification failure in the following ticket is not included yet: https://fedorahosted.org/pki/ticket/2217 Is it going to be added in a separate patch? -- Endi S. Dewata