On Tue, Mar 15, 2016 at 07:59:57AM +1000, Fraser Tweedale wrote: > On Mon, Mar 14, 2016 at 09:29:37AM -0700, Christina Fu wrote: > > > > > > On 03/12/2016 11:51 PM, Fraser Tweedale wrote: > > >On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote: > > >>Hi Fraser, > > >> > > >>I think the general idea looks good. If tested to work, I actually think > > >>you should have it replace the current caServerCert.cfg and make it the > > >>default server cert profile for Dogtag. So I'd suggest you name things > > >>more > > >>generically. > > >> > > >Thanks Christina for the feedback. W.r.t naming, can you clarify > > >what you think should be more generic and why? > > Actually it was more of a preemptive comment that was not specifically > > directed towards anything in your current design. > > I just took a closer look, and I think your new profile plugin name > > (|SubjectAltNameCopyCNDefault|) sounds good. > > > > About replacing existing caServerCert.cfg, consider keeping it, but > > 1. name the new profile something like caServerSANCert.cfg > > 2. make caServerSANCert.cfg default (enable it), and disable > > caServerCert.cfg by default > > > > Anyway, you get the idea. The point is that I think we should fundamentally > > adhere to the standard in Dogtag, so such a fix should be part of the Dogtag > > default. > > > > thanks, > > Christina > > > Understood; thanks. I'll file a ticket for the Dogtag profile > change. > As promised: https://fedorahosted.org/pki/ticket/2233 replace caServerCert profile with one that issues RFC 2818-compliant certs
Cheers, Fraser _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
