On 4/20/19 1:09 AM, Viktor Dukhovni wrote:
On Apr 19, 2019, at 6:42 PM, Michael Ströder <[email protected]> wrote:If a cert's key get compromised (e.g. laptop lost/stolen) I expect the user's cert to be revoked and a new cert to be issued for the *same* subject name. How to deal with that without revocation check? >Delete the name match, and match by the key fingerprint until the old certificate is expired. Then go back to name checks.
Sounds complicated to get that right.
I think that people are asking for this feature because they just want to issue a new cert and *not* deal with any postfix map update.CRLs don't make for reliable infrastructure. My view is that, pretending otherwise would be disservice to the Postfix user community. It is much easier to update the Postfix tables than to provision a working CRL infrastructure. I have no plans to spend any time working on CRL support to Postfix.
Fair enough. Personally I'd continue to use fingerprints anyway.I'm rather questioning whether it's worth the effort to implement something else.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
