Hi,while working on the new API I stumbled upon the "certificateHold" status. The OpenXPKI::Config lists it but marks it as "untested", its compagnion "removeFromCRL" is also listet but not useful as it can be used only in Delta-CRLs, which are not supported by openssl and not implemented by OpenXPKI currently.
My main issue is the definition and necessity of the "Hold Instruction Code" - RFC 3280 defines three of them:
* holdInstructionNone * holdInstructionCallIssuer * holdInstructionReject where holdInstructionNone should be avoided. In RFC5280, which is the follow-up one, the changelog says:"Section 5.3.2 in RFC 3280, which specified the holdInstructionCode CRL entry extension, was removed.", however, the appendix still lists the OIDs in its Appendix.
The openssl manual says:"Although any OID can be used only holdInstructionNone (the use of which is discouraged by RFC2459) holdInstructionCallIssuer or
holdInstructionReject will normally be used."The most "open" possibility would be to grab the list of usable OIDs from the configuration, so its easily extendable by the user. I would suggest to put holdInstructionCallIssuer an holdInstructionReject here as default.
Another point to discuss is the availabilty of the "unhold" action a.k.a. removeFromCRL reason in the default revocation workflow. I would like to see this as a seperate workflow.
Comments welcome ;) Oliver -- Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
