Fraser,

Good catch!

I'm wondering why it was disabled. Could there be a reason? Fraser, if you have not done so, may I trouble you to take one more step in the testing and see if you can
1. verify the CRLs generated after the enabling of AKI indeed has the extension
2. the CRL is accepted by the OCSP
3. test FF cert verification with both CRL and OCSP

Regarding upgrade script, I'll say yes if possible. But we should try to conform to the existing upgrade mechanisms/decision.

thanks,
Christina

On 10/29/2014 11:09 PM, Fraser Tweedale wrote:

This patch enables the Authority Key Identifier CRL Extension, which
is REQUIRED by RFC 5280, by default.

Should existing instances be left alone or should I also look at an
upgrade script that offers to upgrade CS.cfg to be conformant?

Fraser

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel