2:39 a.m.
The attached patches fix https://fedorahosted.org/pki/ticket/1626.
0037-2: earlier patch to store issuer DN in certificate entries,
updated to add indices for the 'issuerName' attribute.
0053: updates the filter used by CRLIP to find certs to include in
CRL.
Note the following limitations:
1. No database update in relation to issuerName attribute and
indices. If people are otherwise satisfied with the patch, I will
file a ticket for the database upgrade aspect.
2. There is no way to define CRLIP for a lightweight CA. There is a
separate ticket for this: https://fedorahosted.org/pki/ticket/1626
(currently not a priority).
Cheers,
Fraser
2:59 p.m.
ACK on 37-2 - and yes, we need an upgrade script for this.
For 53, I have some questions ..
If, prior to the code that creates issuerFilter, filter is blank,
then with your code, we will end up with:
filter = (&(issuer_filter))
which is a filter with an and-operator and only one and-clause.
As far as I know, that won't work.
Ade
On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
The attached patches fix https://fedorahosted.org/pki/ticket/1626.
0037-2: earlier patch to store issuer DN in certificate entries,
updated to add indices for the 'issuerName' attribute.
0053: updates the filter used by CRLIP to find certs to include in
CRL.
Note the following limitations:
1. No database update in relation to issuerName attribute and
indices. If people are otherwise satisfied with the patch, I will
file a ticket for the database upgrade aspect.
2. There is no way to define CRLIP for a lightweight CA. There is a
separate ticket for this: https://fedorahosted.org/pki/ticket/1626
(currently not a priority).
Cheers,
Fraser
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
10:08 p.m.
On Tue, Oct 20, 2015 at 03:59:16PM -0400, Ade Lee wrote:
ACK on 37-2 - and yes, we need an upgrade script for this.
Thanks.
For 53, I have some questions ..
If, prior to the code that creates issuerFilter, filter is blank,
then with your code, we will end up with:
filter = (&(issuer_filter))
which is a filter with an and-operator and only one and-clause.
As far as I know, that won't work.
Well spotted. It works just fine. (&...) and (|...) work with 1..n
clauses.
Did you have other feedback re 53?
Cheers,
Fraser
Ade
On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
> The attached patches fix https://fedorahosted.org/pki/ticket/1626.
>
> 0037-2: earlier patch to store issuer DN in certificate entries,
> updated to add indices for the 'issuerName' attribute.
>
> 0053: updates the filter used by CRLIP to find certs to include in
> CRL.
>
> Note the following limitations:
>
> 1. No database update in relation to issuerName attribute and
> indices. If people are otherwise satisfied with the patch, I will
> file a ticket for the database upgrade aspect.
>
> 2. There is no way to define CRLIP for a lightweight CA. There is a
> separate ticket for this: https://fedorahosted.org/pki/ticket/1626
> (currently not a priority).
>
> Cheers,
> Fraser
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
10:24 p.m.
Nope -- if it works just fine, then ACK.
On Wed, 2015-10-21 at 13:08 +1000, Fraser Tweedale wrote:
On Tue, Oct 20, 2015 at 03:59:16PM -0400, Ade Lee wrote:
> ACK on 37-2 - and yes, we need an upgrade script for this.
>
Thanks.
> For 53, I have some questions ..
>
> If, prior to the code that creates issuerFilter, filter is blank,
> then with your code, we will end up with:
>
> filter = (&(issuer_filter))
>
> which is a filter with an and-operator and only one and-clause.
> As far as I know, that won't work.
>
Well spotted. It works just fine. (&...) and (|...) work with 1..n
clauses.
Did you have other feedback re 53?
Cheers,
Fraser
> Ade
>
> On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
> > The attached patches fix https://fedorahosted.org/pki/ticket/1626
> > .
> >
> > 0037-2: earlier patch to store issuer DN in certificate entries,
> > updated to add indices for the 'issuerName' attribute.
> >
> > 0053: updates the filter used by CRLIP to find certs to include
> > in
> > CRL.
> >
> > Note the following limitations:
> >
> > 1. No database update in relation to issuerName attribute and
> > indices. If people are otherwise satisfied with the patch, I
> > will
> > file a ticket for the database upgrade aspect.
> >
> > 2. There is no way to define CRLIP for a lightweight CA. There
> > is a
> > separate ticket for this:
> > https://fedorahosted.org/pki/ticket/1626
> > (currently not a priority).
> >
> > Cheers,
> > Fraser
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
7:25 p.m.
On Tue, Oct 20, 2015 at 11:24:13PM -0400, Ade Lee wrote:
Nope -- if it works just fine, then ACK.
Thanks. Pushed to master
0037 - 465fa069ba67d655be28e1a3b9417dff19148e9f
0053 - bb3329f19180df9935c8571563eab2f47e31c522
Also filed ticket:
#1667 Database upgrade script to add issuerName attribute to all cert entries
Cheers,
Fraser
On Wed, 2015-10-21 at 13:08 +1000, Fraser Tweedale wrote:
> On Tue, Oct 20, 2015 at 03:59:16PM -0400, Ade Lee wrote:
> > ACK on 37-2 - and yes, we need an upgrade script for this.
> >
> Thanks.
>
> > For 53, I have some questions ..
> >
> > If, prior to the code that creates issuerFilter, filter is blank,
> > then with your code, we will end up with:
> >
> > filter = (&(issuer_filter))
> >
> > which is a filter with an and-operator and only one and-clause.
> > As far as I know, that won't work.
> >
> Well spotted. It works just fine. (&...) and (|...) work with 1..n
> clauses.
>
> Did you have other feedback re 53?
>
> Cheers,
> Fraser
>
> > Ade
> >
> > On Fri, 2015-10-09 at 17:39 +1000, Fraser Tweedale wrote:
> > > The attached patches fix https://fedorahosted.org/pki/ticket/1626
> > > .
> > >
> > > 0037-2: earlier patch to store issuer DN in certificate entries,
> > > updated to add indices for the 'issuerName' attribute.
> > >
> > > 0053: updates the filter used by CRLIP to find certs to include
> > > in
> > > CRL.
> > >
> > > Note the following limitations:
> > >
> > > 1. No database update in relation to issuerName attribute and
> > > indices. If people are otherwise satisfied with the patch, I
> > > will
> > > file a ticket for the database upgrade aspect.
> > >
> > > 2. There is no way to define CRLIP for a lightweight CA. There
> > > is a
> > > separate ticket for this:
> > > https://fedorahosted.org/pki/ticket/1626
> > > (currently not a priority).
> > >
> > > Cheers,
> > > Fraser
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
3660
days inactive
3673
days old
4 comments
2 participants
participants (2)
-
Ade Lee -
Fraser Tweedale