Re: [Pki-devel] [Freeipa-devel] Design review request: RFC 2818 certificate compliance

On Mon, Mar 14, 2016 at 09:29:37AM -0700, Christina Fu wrote: > > > On 03/12/2016 11:51 PM, Fraser Tweedale wrote: > >On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote: > >>Hi Fraser, > >> > >>I think the general idea looks good. If tested to work, I actually think > >>you should have it replace the current caServerCert.cfg and make it the > >>default server cert profile for Dogtag. So I'd suggest you name things more > >>generically. > >> > >Thanks Christina for the feedback. W.r.t naming, can you clarify > >what you think should be more generic and why? > Actually it was more of a preemptive comment that was not specifically > directed towards anything in your current design. > I just took a closer look, and I think your new profile plugin name > (|SubjectAltNameCopyCNDefault|) sounds good. > > About replacing existing caServerCert.cfg, consider keeping it, but > 1. name the new profile something like caServerSANCert.cfg > 2. make caServerSANCert.cfg default (enable it), and disable > caServerCert.cfg by default > > Anyway, you get the idea. The point is that I think we should fundamentally > adhere to the standard in Dogtag, so such a fix should be part of the Dogtag > default. > > thanks, > Christina > Understood; thanks. I'll file a ticket for the Dogtag profile change.