After clarification and discussions with cfu, ACK.
On Wed, 2016-03-02 at 15:13 +1000, Fraser Tweedale wrote: > On Mon, Feb 22, 2016 at 12:02:49PM -0500, Ade Lee wrote: > > Couple of comments .. > > > > 1. First off, there is a typo in the comments on the method. I > > think > > you mean .. > > > > 3. Either we WERE the issuing CA, or we .. rather than "were > > not" > > > > 2. We can go with the heuristic of taking the first CA, but I do > > not > > think we should leak information about other certs if the CA is > > incorrect. The way the code is now, we will still return data on > > whether a particular cert serial number is valid -- even if that > > cert > > was not issued on that CA. > > > > A simple solution is to simply pass code to processRequest() to > > ignore > > the request if the issuer is not correct and not return a response > > for > > that request. > > > RFC 6960 says: > > The response MUST include a SingleResponse for each certificate > in the request. > > So the best we can do is return 'unknown' status in this case. > > I've attached updated patch 0051-2 - the only change is the comment > fixup - and two new patches: 0074 refactors digest lookup and adds > support for SHA-2 algos, and 0075 changes the OCSP behaviour to > return 'unknown' cert status for certs that from a different issuer. > > Cheers, > Fraser _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
