Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
On Wed, Dec 17, 2014 at 10:13:04AM -0800, Christina Fu wrote:
Hi Fraser,
Regarding CRL, I found the following:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoD...
So I think we can just forget it then, unless you want to install old FF to
try.
You have an ACK on this patch now.
About upgrade, I can see that you are on the right path there with the
upgrade script, and it looks to do the thing, but since I don't have much
experience with Python, could you please ask Endi to take a closer look?
Thanks Christina.
Endi, any comments on upgrade script?
Currently if you opt out of an upgrade step it aborts the whole
process. I think there could be scope for marking upgrade steps as
optional so that the process doesn't bail out, but I haven't
addressed that in the patch - wanted to solicit feedback first.
Cheers,
Fraser
thanks!
Christina
On 12/16/2014 06:36 PM, Fraser Tweedale wrote:
>Hi Christina,
>
>Following up on your request for further testing, see below.
>
>On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
>>Fraser,
>>
>>Good catch!
>>
>>I'm wondering why it was disabled. Could there be a reason? Fraser, if you
>>have not done so, may I trouble you to take one more step in the testing and
>>see if you can
>>1. verify the CRLs generated after the enabling of AKI indeed has the
>>extension
>>
>The extension is present.
>
>>2. the CRL is accepted by the OCSP
>>
>The OCSP responder works fine with the CRLs when the AKI extension
>has been enabled.
>
>>3. test FF cert verification with both CRL and OCSP
>>
>Firefox OCSP check works fine. I'm not sure how to test the CRL in
>Firefox. Advice?
>
>>Regarding upgrade script, I'll say yes if possible. But we should try to
>>conform to the existing upgrade mechanisms/decision.
>>
>Patch will be out shortly.
>
>Cheers,
>
>Fraser
>
>>thanks,
>>Christina
>>
>>On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
>>>This patch enables the Authority Key Identifier CRL Extension, which
>>>is REQUIRED by RFC 5280, by default.
>>>
>>>Should existing instances be left alone or should I also look at an
>>>upgrade script that offers to upgrade CS.cfg to be conformant?
>>>
>>>Fraser
>>>
>>>
>>>_______________________________________________
>>>Pki-devel mailing list
>>>Pki-devel(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/pki-devel
>>_______________________________________________
>>Pki-devel mailing list
>>Pki-devel(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel