I have already seen the demo for this.
Seems to make sense. I've called out some extraneous calls to System.out.println,that might pollute the logs and the output for a client. Conditional ACK. Also, some of this affects the CRMFPopClient class when we add the switch for self signed. We should at least check with Endi to make sure this doesn't have any negative effect on the pki command which uses the same code in certain situations. ----- Original Message ----- From: "Christina Fu" <c...@redhat.com> To: pki-devel@redhat.com Sent: Tuesday, May 16, 2017 11:36:55 AM Subject: Re: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch Per discussion with Ade and Endi on unrelated audit-event-specific topic, we decide to not split events into SUCCESS and FAILURE. This updated patch un-split the events that I split prior to the conversation/decision. thanks, Christina On 05/15/2017 06:29 PM, Christina Fu wrote: (pague ticket is yet to be cloned) Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof This patch implements handling of the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. thanks! Christina _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
