Hi,
> I see no problems to include both scripts and activate the new one if it
> behaves like the old one.
OK, so I'll improve the script to a point where the default configuration
results in exactly the same behaviour as the previous version.
>> I guess practically, but I haven't performed benchmarks on this.
>> Michael is *very* concerned about performance and the additional
>> latency introduced by the script.
>
> Which Michael? Did you mean me (perhaps you mean another one because I
> don't follow the track)? I only think about the performance of the
> normal HTML stuff because this can be used by humans. Machines are
> usually not so critical and they produce no high load. So SCEP
> performance is at minimum for me no argument.
Yeah, I meant you. In a former discussion you were concerned about
the extra operations in the SCEP interface, but I may mix it up
with another discussion.
>> But a really bad hack is included to parse the SubjectAltName from the
>> incoming SCEP PKCS#10 request: this is currently not supported by
>> the OpenAC::REQ module, so I had to use the OpenSSL binary for this.
>> This must go away in a later release, but for this I will have to
>> write the stub code in the .xs file for the request parse class.
>
> This is not necessary for 0.9.2 too. OpenSSL.xs includes code to extract
> the extensions from a PKCS#10 request. You "only" have to add
> "EXTENSIONS" to @attrlist in parsReq of OpenCA::REQ. After this the
> extensions are in $csr->getParsed()->{EXTENSIONS}. If you want to
> preparse the subject_alt_name then you can do it like the X509 module
> which parses the EXTENSIONS data. ... but can ignore this of course if
> you stuff is already stable.
Great to hear, I learn something new every day with OpenCA...
I'll fix my code accordingly.
> The only question is how good is the new code tested and how good is the
> error tracing and debugging code. I checked the utf8 patch now and it is
> not really intrusive. So we can put both changes into the 0.9.2.3 but I
> need at minimum two days to adapt the patch because I want to look for
> the best and seemless integration into 0.9.2's config procedure.
Well the error tracing and debugging code is definitely better, because
it was non-existent in the previous version...
Concerning stability I can only test it against sscep here, currently
we do not have any real network components that enroll against my
SCEP server.
Martin
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel
