Re: [Pki-devel] [PATCH] 0017-2 Enable Authority Key Identifier CRL extension

Hi Christina, Following up on your request for further testing, see below. On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote: > Fraser, > > Good catch! > > I'm wondering why it was disabled. Could there be a reason? Fraser, if you > have not done so, may I trouble you to take one more step in the testing and > see if you can > 1. verify the CRLs generated after the enabling of AKI indeed has the > extension > The extension is present. > 2. the CRL is accepted by the OCSP > The OCSP responder works fine with the CRLs when the AKI extension has been enabled. > 3. test FF cert verification with both CRL and OCSP > Firefox OCSP check works fine. I'm not sure how to test the CRL in Firefox. Advice? > Regarding upgrade script, I'll say yes if possible. But we should try to > conform to the existing upgrade mechanisms/decision. > Patch will be out shortly.

Cheers, Fraser > thanks, > Christina > > On 10/29/2014 11:09 PM, Fraser Tweedale wrote: > >This patch enables the Authority Key Identifier CRL Extension, which > >is REQUIRED by RFC 5280, by default. > > > >Should existing instances be left alone or should I also look at an > >upgrade script that offers to upgrade CS.cfg to be conformant? > > > >Fraser > > > > > >_______________________________________________ > >Pki-devel mailing list > >Pki-devel(a)redhat.com > >https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel