Re: [Pki-devel] [PATCH] Lightweight CAs
On Fri, Sep 25, 2015 at 11:30:12PM +1000, Fraser Tweedale wrote:
There is a problem with allowing authority DNs to be reused - when
adding the cert to the NSSDB, despite what nickname you tell it to
you, it will put the cert under the nickname of the existing cert
with that subject DN. Thus when you go to find the cert by
nickname, it cannot locate it. Failure ensues. This is possibly a
bug in NSS (it's certainly surprising), but I need more time to
analyse it.
The observed NSS behaviour (one nickname for all certs with a given
Subject DN) is by design. It was a limitation in the old nssdb
design, but is now an artifical restriction to maintain the old
behaviour. There is apparently no intention / desire to remove it.
I will push forward with the subject+issuer patch, at least to get a
working proof of concept and assess how it impacts the renewal
process.
Cheers,
Fraser