Hi Achim, it can happen that everything is correct with the situation:
1. The log entry is written after the crypto toolkit returns the new certificate to the command. 2. After the log entry the certificate is converted and stored in the context of the workflow. The situation is perhaps confusing because if the command crashes between the log message and the end of the command then you don't see the certificate in the context of the workflow. The problem is that the certificate was issued. You don't have it but it exists. This fact is important for a potential security review. Perhaps we should write more than one message here. - certificate signed but not persisted - certificate converted - certificate persisted I don't know if this is too much noise. Best regards Michael Am 30.07.2012 17:53, schrieb Joachim Astel: > Hello OpenXPKI developers, > > recently we have had a heavy-load situation within OpenXPKI. > It happened that the parent gave control to the child, got > into "Issuance" workflow state and logged into OpenXPKI log > a "CertIssuance" line with a certificate which wasn't signed > at this time -- due to the load situation, the child process > had died then (parent at this point was in status "WAITING_FOR_CHILD"). > The certificate wasn't signed, but the above log output has happened. >>From an audit perspective is not nice, if a certificate issuance > is reported although it hasn't been signed in reality. > This means that the log should ideally only be written if the > certificate was really issued, not in this case. > > Greetings > -Achim > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > OpenXPKI-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-devel > -- ___________________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 70143 ZE Computer- und Medienservice Fax: +49 (0)30-2093 70135 Unter den Linden 6 [email protected] D-10099 Berlin ___________________________________________________________________ PGP Fingerprint: 09E4 3D29 4156 2774 0F2C C643 D8BD 1918 2030 5AAB
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
