atever follows the '@'. So
if REMOTE_USER is an email address and everyone has the same domain,
this could work with the current code. Otherwise, we'll need to
make changes.
All that said, providing an alternative way of specifying the realm
is a small RFE with a big payoff.
HTH,
Fraser
> Th
On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> There's a proposal for GSS-API auth:
>
> https://www.dogtagpki.org/wiki/GSS-API_authentication
> https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
>
> However, it isn't implemented yet. This would probably suffice for
>
On Wed, Jun 17, 2020 at 12:59:57AM +1000, Fraser Tweedale wrote:
> Thanks for the testing notes, Christina.
>
> Today I set up a local test CT log server using a container image.
> I plan to document more thoroughly but rough notes at [1].
>
> Now to the issue I found -
enabled, but the failure is ignored.
> However, you could look in the debug log for "verifySCT" to see relevant
> debug messages.
>
> I'll ask Dinesh to add his more comprehensive testing procedure to the page.
> thanks!!
> Christina
>
> On Thu, Jun 11, 2020 at 5:5
t;
> > Also thanks for the input on how to handle failed CT log communication
> > v.s. response verification failure. I will address them separately as
> > suggested.
> > Finally, nice catch with the missing data length!! I'll add that and go
> > from there.
> >
>
On Wed, Jun 03, 2020 at 08:17:39PM -0400, Dinesh Prasanth Moluguwan
Krishnamoorthy wrote:
> Hello team,
>
> I’m part of Dogtag PKI open-source project [1]. Our team strives to provide
> enterprise-class open-source Public Key Infrastructure (PKI) [2].
>
> Dogtag PKI server is a Java web
Hi Christina,
Adding pki-devel@ for wider audience. Comments below.
On Mon, Jun 01, 2020 at 06:28:42PM -0700, Christina Fu wrote:
> Hi Fraser,
> Do you know how the signature returned in the SCT response could be
> verified by the CA?
> My thought is that the CA should somehow verify the CT
On Fri, Mar 20, 2020 at 03:41:05PM -0400, Endi Sukma Dewata wrote:
> - Original Message -
> > > Let me backtrack a little bit. Is there a plan to modify Dogtag to
> > > eventually support different serial number domains? If not, this is
> > > not an issue for Dogtag.
> >
> > There is no
Hi Endi,
Responses inline.
On Fri, Mar 20, 2020 at 12:55:46AM -0400, Endi Sukma Dewata wrote:
> - Original Message -
> > > > Currently on ACMEBackend interface we have
> > > >
> > > > public BigInteger issueCertificate(String csr);
> > > >
> > > > I think this is a bit of a problem.
On Tue, Mar 17, 2020 at 05:04:59PM -0400, Endi Sukma Dewata wrote:
> - Original Message -
> > Hi Endi,
> >
> > Just want to quickly discuss certificate IDs.
> >
> > Currently on ACMEBackend interface we have
> >
> > public BigInteger issueCertificate(String csr);
> >
> > I think this
Hi Endi,
Just want to quickly discuss certificate IDs.
Currently on ACMEBackend interface we have
public BigInteger issueCertificate(String csr);
I think this is a bit of a problem. e.g. Dogtag currently supports
multiple issuers (LWCAs). It is incidental that serial numbers do
not
On Tue, Jan 28, 2020 at 07:02:36PM +0530, Sharath wrote:
> Hello Team,
>
> I have taken the source code git repository, currently pointing
> origin/DOGTAG_10_6_BRANCH. Can you please text the steps to build Dogtag PKI
> source ?
>
> ./build.sh is failed due to dependencies...
>
> is there any
On Thu, Dec 05, 2019 at 11:18:15AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 04, 2019 at 06:36:24PM -0500, Endi Sukma Dewata wrote:
> > - Original Message -
> > > Just want to flag something related to ACME orders and
> > > authorisations.
> > &g
Just want to flag something related to ACME orders and
authorisations.
In ACME authorizations can be shared by multiple orders. In fact
you can also "preauthorize" your account for an identifier, so there
can also be a authorizations with no orders attached.
Does the way we have implemented the
On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote:
> HI Team,
>
> 1. Can you please help, how to generate the certificate using pkcs #12
> format??
>
Hi Sharath,
PKCS #12 is a key and certificate archival format. The main use of
PKCS #12 in Dogtag is retrieving archived keys from the KRA
On Mon, Mar 11, 2019 at 03:58:17PM +0100, François Cami wrote:
> Hi,
>
> The Java maintainers have orphaned most, if not all, of the Java stack
> in Fedora, in favor of modules:
>
Dear Dinesh,
The 10.6.7-1 update[1] was given negative karma due to FreeIPA
installation failure[2] on openqa. I have spent considerable time
trying to reproduce the failure using the same package from
updates-testing, without success.
[1]
Just a quick heads up that a couple of new RFCs[1][2] update RFC
5280 w.r.t. i18n support.
[1] https://tools.ietf.org/html/rfc8398
[2] https://tools.ietf.org/html/rfc8399
The most notable change is a new otherName type to represent
internationalised email addresses (i.e. when the local part is
On Tue, May 01, 2018 at 09:34:23PM -0400, Endi Sukma Dewata wrote:
> Hi,
>
> PKI 10.6.0 and TomcatJSS 7.3.0 has officially been released
> upstream and in Fedora 28:
>
> https://github.com/dogtagpki/pki/releases/tag/v10.6.0
> https://github.com/dogtagpki/tomcatjss/releases/tag/v7.3.0
>
> Please
On Tue, Mar 27, 2018 at 09:52:22PM -0400, Endi Sukma Dewata wrote:
> - Original Message -
> > On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote:
> > > Hi,
> > >
> > > The Dogtag PKI Website URL has changed as follows:
> > >
> > > * Old URL: http://pki.fedoraproject.org
>
On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote:
> Hi,
>
> The Dogtag PKI Website URL has changed as follows:
>
> * Old URL: http://pki.fedoraproject.org
> * New URL: http://www.dogtagpki.org
>
> Please use the new URL whenever possible. The old URL should
> automatically be
On Fri, Mar 09, 2018 at 07:02:23PM +1000, Fraser Tweedale wrote:
> Hi,
>
> It seems that with the change in logging backend, calls to
> CMS.debug(Throwable e) no longer print the stack trace. The name of
> the exception is printed by the error message has been suppressed.
>
Hi Christina et al,
Could someone with a familiarity/interest in IPAddress altnames /
name constraints please review this patchset and the three related
patchsets, when you have time?
https://review.gerrithub.io/#/c/398356/
The related BZ is
ramifications of this change and why it is
> > needed?
> >
> > I notice that most of the Openstack projects use the default "Merge
> > If
> > Necessary", and want to understand (or at least document) why we want
> > to do things differently.
> >
> &
To whoever has management permission on gerrithub,
Could you please change the `Submit Type' config to `Rebase if
Necessary'? This will avoid explicit merge commits without the
developer having to explicitly rebase the change before submitting.
On Wed, Apr 26, 2017 at 06:40:59PM +1000, Fraser Tweedale wrote:
> On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote:
> > The attached patch fixes a regression (I think?) where recovered
> > keys accumulate in the key storage token.
> >
> > Thanks,
&g
d above.
Thanks,
Fraser
>
> On 04/10/2017 11:30 PM, Fraser Tweedale wrote:
> > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> > > Hi Fraser,
> > >
> > > Could you please do the following first?
> > >
> > > 1. file a Mozilla
On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote:
> The attached patch fixes a regression (I think?) where recovered
> keys accumulate in the key storage token.
>
> Thanks,
> Fraser
Gerrit review: https://review.gerrithu
I have created a gerrit review for this patchset:
https://review.gerrithub.io/#/c/357607/
Thanks,
Fraser
On Tue, Feb 07, 2017 at 09:39:52PM +1000, Fraser Tweedale wrote:
> Please review the attached patches which fix
> https://fedorahosted.org/pki/ticket/2588, a bug in profile
> mod
is not
active when I go to Edit Bug.
Also not sure how to "mark reviewers". I added you and Elio to Cc
though.
Thanks,
Fraser
>
> On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > Hi team,
> >
> > Please review attached patches for JSS and Dogtag that:
The attached patch fixes a regression (I think?) where recovered
keys accumulate in the key storage token.
Thanks,
Fraser
From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 6 Apr 2017 16:07:07 +1000
Subject: [PATC
Hi all,
I have some questions about KRA operation. These questions came up
as part of my PKCS #12 AES key bag encryption effort.
1) the kra.allowEncDecrypt.recovery setting controls whether
unwrapping the archived key takes place on a crypto token (the
default) or within Dogtag. It seems to be
de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 3 Apr 2017 11:07:24 +1000
Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms
---
org/mozilla/jss/crypto/Algorithm.c | 8 +++-
org/mozilla/jss/crypto/Algor
On Tue, Mar 07, 2017 at 11:16:37AM +1000, Fraser Tweedale wrote:
> Hi team,
>
> Please review the attached patches, which add support for external
> authentication (e.g. GSS-API/SPNEGO).
>
> These patches depend on some other outstanding patches:
> 0157, 0158, 0165, 0166
On Mon, Mar 13, 2017 at 03:59:24PM -0400, Ade Lee wrote:
> ACK
>
Thanks; 0165 pushed to master
(6fa6b692882d00c8228aed7f5780b13f1b09c98c)
> On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote:
> > The following patches add the revocation reason to the REST cert
> > da
Please review attached patches that fix a couple of problems in
pkispawn.8 and pki_default.cfg.5.
Thanks,
Fraser
From e6c683eec351be54fb65f22629e78865839bf263 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 9 Mar 2017 14:30:29 +1000
Subject: [PATCH 1
:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 2 Mar 2017 16:32:21 +1000
Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments
CMS.getLogMessage performs message formatting via MessageFormat,
then the message gets logged via a Logger. The Logger also pe
The following patches add the revocation reason to the REST cert
data (i.e. GET /ca/rest/certs/{id}).
Patches 0163 and 0164 were pushed under trivial rule.
Please review 0165.
Thanks,
Fraser
From f50507eac86edba2fba01ff25d6937f7d991770e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ft
The attached patch fixes an NPE that can occur if startup fails
(e.g. due to database unavailable).
Pushed under trivial rule.
Thanks,
Fraser
From aa9bca02d0469e16a93812564bf44369c30002da Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 20 Feb 2017 11:08:50
On Tue, Jan 24, 2017 at 02:45:48PM +1000, Fraser Tweedale wrote:
> The attached patch (part of the GSS-API effort) allows DirAclAuthz
> configuration to specify to read the ACLs from a different entry (it
> is currently hard-coded).
>
> Thanks,
> Fraser
>
ACKed by a
On Wed, Feb 01, 2017 at 05:25:58PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> The attached patches implement the long-desired feature to copy CN
> to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
>
> I've also pushed the branch to my GitHub repo; feel free to re
Please review the attached patches which fix
https://fedorahosted.org/pki/ticket/2588, a bug in profile
modification where config params can only be added or changed, but
not removed.
Thanks,
Fraser
From 0a86f63cfe2d5391befe401541e9dcc0dae6ce29 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Please review attached patches; a couple of small refactors to ease
upcoming GSS-API work.
Thanks,
Fraser
From 71a94aba941b395a07a849eacb125b9657f70f59 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 11:38:03 +1000
Subject: [PATCH 157/158]
Pushed under one-liner/trivial rule.
Thanks,
Fraser
From 463be6afd824f39c9e02881d7b9b168cd92093a1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 10:31:32 +1000
Subject: [PATCH 156/158] Remove unused dependency from tomcat classes build
---
base/
a KBase article about
using the new component.
Let me know what you think.
Cheers,
Fraser
On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote:
> On 02/01/2017 12:25 AM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The attached patches implement the long-desir
Thanks,
Fraser
From 3f913b1857712dd0a962d42f56f29d7faebf244e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 1 Feb 2017 16:15:39 +1000
Subject: [PATCH 151/155] DNSName: add method to get value
To implement a profile default that copies CN to SAN dNSName, w
The attached patch fixes https://fedorahosted.org/pki/ticket/2579.
Thanks,
Fraser
From 4201b2c02546e4d404816a4932ba2d0d688f2c55 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 23 Jan 2017 17:11:26 +1000
Subject: [PATCH] Use BigInteger for entryUSN
Currently
Reviewed by alee:
https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d
Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99).
Thanks,
Fraser
From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.
; IRequest extdata
key prefix in one place
Thanks,
Fraser
On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote:
> The attached patches relocate / redefine some constants that are
> used as keys when setting or getting IRequest extdata attributes.
>
> In some cases this remo
Acked by alee:
https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277
Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4).
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote:
> This patch renames (a better name) and mo
Acked by alee:
https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec
Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc)
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote:
> With current ACL parsing, if you h
Acked by alee:
https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41
Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76)
On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote:
> The attached patch merges some duplicate authz manager c
Acked by alee:
https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0
Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd)
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote:
> The attached patch moves some string constants f
(Sorry, I sent this to the wrong list.)
On Thu, Dec 08, 2016 at 01:59:45PM +1000, Fraser Tweedale wrote:
> On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote:
> > Here you goI hope you can help. I am already starting to use it in
> > production testing...I woul
.
Thanks,
Fraser
> On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote:
>
> > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote:
> > > Hi Team,
> > >
> > > I have installed Dogtag on one of my Raspberry PI 3 de
in IRequest, which
is the appropriate place.
This is refactoring work undertaken as part of GSSAPI support.
Thanks,
Fraser
From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 7 Dec 2016 12:25:01 +1000
Subject: [PAT
What it says on the tin. Pushed under one-liner rule.
Thanks,
Fraser
From 01956aedf62f20713ca191c254a20f0b50d8e7af Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 7 Dec 2016 14:23:18 +1000
Subject: [PATCH 143/143] Remove unused string constant
Part of:
This patch renames (a better name) and moves to the IAuthzSubsystem
interface a method in AuthzSubsystem that may be useful for doing
authorisation checks for external principals.
Thanks,
Fraser
From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ft
afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 25 Nov 2016 14:29:40 +1000
Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass
DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
still a lot of duplicat
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 29 Nov 2016 16:10:58 +1000
Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken
Part of: https://fedorahosted.org/pki/ticket/1359
---
.../netscape/certsrv/authentication/AuthToken.java | 34 --
.../c
Just a drive-by removal of an unused class member. Pushed under
one-liner rule.
Thanks,
Fraser
From e613f485e9ed08b9b5e6b2ad568a0953b742b0e5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 28 Nov 2016 14:52:11 +1000
Subject: [PATCH] Remove unused member
---
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 21 Sep 2016 20:18:37 +1000
Subject: [PATCH] Do not attempt LWCA key retrieval for host authority
During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
tem
On Wed, Sep 14, 2016 at 07:16:32PM -0500, Endi Sukma Dewata wrote:
> On 9/14/2016 7:14 AM, Fraser Tweedale wrote:
> > Hi team,
> >
> > The attached patch fixes (yet another) race condition in
> > LDAPProfileSubsystem.
> >
> > https://fedorahosted.org/pki/
Hi team,
The attached patch fixes (yet another) race condition in
LDAPProfileSubsystem.
https://fedorahosted.org/pki/ticket/2453
Additional context: https://fedorahosted.org/freeipa/ticket/6274
Thanks,
Fraser
From 24a5ad6f84387055468e0125df90fea6635da484 Mon Sep 17 00:00:00 2001
From: Fraser
Hi,
Attached patch fixes https://fedorahosted.org/pki/ticket/2443.
Thanks,
Fraser
From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 24 Aug 2016 14:40:46 +1000
Subject: [PATCH] Prevent deletion of host CA cert a
On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote:
> Are there any plans on the dogtag roadmap to ever migrate away from using
> JSS/NSS?
>
Hi George,
I dont't think there are any such plans. Why do you ask?
Cheers,
Fraser
___
Pki-devel
Hi team,
The attached patch fixes https://fedorahosted.org/pki/ticket/2420.
Thanks,
Fraser
From 86030eb0c231734a3020b201a9be60e84d023e75 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 26 Jul 2016 14:07:10 +1000
Subject: [PATCH] Fix CA OCSP responder when
On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote:
>
>
> On 07/14/2016 03:02 PM, Geetika Kapoor wrote:
> >
> > On 07/14/2016 01:53 PM, Fraser Tweedale wrote:
> >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote:
> >>> On Thu,
On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> Hi,
>
> Please review this patch.Below is a small summary about this fix and
> what we are trying to achieve.
>
> CLI : pki-server db-upgrade
>
> what it should be doing is if it sees that issuerName doesn't exist,NULL
> it will
On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:
> The pki-server ca-* commands have been modified to validate
> the instance and the CA subsystem before proceeding with the
> operation.
>
> The usage() methods and invocations have been renamed into
> print_help() for
On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote:
> The pki-server subsystem-cert-update is supposed to restore the
> system certificate data and requests into CS.cfg. The command was
> broken since the CASubsystem class that contains the code to find
> the certificate requests
On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote:
> On 6/22/2016 4:53 AM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
> > See commit message and bz1323400[1] for full history and details.
> >
> > [1]
On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote:
> On 6/27/2016 9:52 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
> > Wanted for 10.3.4.
> >
> > Thanks,
> > Fraser
>
> Two things:
The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
Wanted for 10.3.4.
Thanks,
Fraser
From 3ad777d8009f025f1aac1159910dd0a4d327bd13 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Sat, 25 Jun 2016 00:14:11 +0200
Subject: [PATCH] Respond 400 if lightweight
17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 22 Jun 2016 13:34:01 +1000
Subject: [PATCH] Add profiles container to LDAP if missing
CMS startup was changed a while back to wait for
LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
initialisation waits f
On Tue, Jun 21, 2016 at 07:29:22AM +0200, Jan Cholasta wrote:
> On 18.6.2016 02:38, Fraser Tweedale wrote:
> > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote:
> > > On 17.6.2016 09:34, Fraser Tweedale wrote:
> > > > On Mon, May 09, 2016 at 09:35:
On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote:
> Hi,
>
> On 6.5.2016 08:01, Fraser Tweedale wrote:
> > Hullo all,
> >
> > FreeIPA Lightweight CAs implementation is progressing well. The
> > remaining big unknown in the design is how to do
On Wed, Jun 15, 2016 at 11:36:28AM -0500, Endi Sukma Dewata wrote:
> The TPS's CS.cfg and token-states.properties have been updated
> to include instructions to customize token state transitions and
> labels.
>
> https://fedorahosted.org/pki/ticket/2300
>
ACK
On Mon, Jun 13, 2016 at 07:24:01PM -0500, Endi Sukma Dewata wrote:
> A new CLI has been added to update the certificate trust flags in
> PKCS #12 file which will be useful to import OpenSSL certificates.
>
Tested; does what it says on the tin.
ACK.
Cheers,
Fraser
On Fri, Jun 10, 2016 at 10:29:51AM -0500, Endi Sukma Dewata wrote:
> The TPS token and activity services have been modified to use VLV
> only when the search filter matches the VLV, which is the default
> filter when there is no search keyword/attributes specified by
> the client. In other cases
On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote:
> On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
> > Please review for inclusion in 10.3.3.
> >
> >
dependency, but should I also add it spec file as explicit
dependency?
Cheers,
Fraser
From 7183cece34b766b5e1db6837291151b4d58aa9c9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Sat, 4 Jun 2016 20:49:38 +1000
Subject: [PATCH] Modify ExternalProcessKeyRetriever to rea
On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote:
> On 5/31/2016 11:45 PM, Fraser Tweedale wrote:
> > G'day comrades,
> >
> > Please review the attached two patches, which...
> >
> > (Patch 0120)
> >
> > - provide for passing o
On Thu, Jun 02, 2016 at 08:02:35PM -0500, Endi Sukma Dewata wrote:
> On 5/17/2016 12:20 AM, Fraser Tweedale wrote:
> > Hi all,
> > attached patch fixes https://fedorahosted.org/pki/ticket/2332
> >
> > Cheers,
> > Fraser
>
> Assuming an identical CA cannot
On Tue, May 31, 2016 at 11:07:51AM -0500, Endi Sukma Dewata wrote:
> On 5/29/2016 10:25 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2343
> >
> > Cheers,
> > Fraser
>
> ACK.
>
Thanks Endi! Pushed to master
(a401
The attached patch fixes https://fedorahosted.org/pki/ticket/2343
Cheers,
Fraser
From a40139d5f21139d31b62d3c35002b454131245f1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 30 May 2016 12:17:12 +1000
Subject: [PATCH] Fix LDAP schema violation when instanc
Hi all,
attached patch fixes https://fedorahosted.org/pki/ticket/2332
Cheers,
Fraser
From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 17 May 2016 14:47:11 +1000
Subject: [PATCH] Return 410 Gone if target CA of r
The attached patch makes clones delete lightweight CA keys/certs
from local NSSDB when processing LWCA deletion.
Ticket: https://fedorahosted.org/pki/ticket/2328
Thanks,
Fraser
From 96079be3caea27ab1ecd5e6486a31c5c3629 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
erably, in LDAP itself). Updates themselves should
be idempotent.
> Opening up for others to chime in ..
>
> Ade
>
> On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote:
> > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> > > Isn't all this predica
913fced6709f30da2ac05e5367fcfc05e1698a75 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 13 May 2016 14:22:08 +1000
Subject: [PATCH] Lightweight CAs: add issuer DN and serial to AuthorityData
Add issuer DN and serial number to the AuthorityData object, as
read-only attr
On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote:
> The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
> It will result in better error messages and help users to diagnose
> bad profile configurations (especially with IPA).
>
> Thanks,
> Fras
On Tue, May 10, 2016 at 01:29:17PM -0400, Ade Lee wrote:
> ACK.
>
Thanks Ade; pushed to master:
502db07ee8ef3e9f6b4bc2b030b29e8db639bc69 Include issuer DN in CertDataInfo
70d751e837cbf375ebd068169e591cd4a971f472 Support certificate search by issuer
DN.
> Is the new search parameter added to
On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> Isn't all this predicated on a schema change that adds the issuer as an
> optional field for the certRecord?
>
The schema already exists but was unused.
> Ade
>
> On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale
scriptlet to perform the upgrade for Dogtag CA subsystem on
the host? Is there a precedent for invoking pki-server (or
subroutines thereof) from pki-server-upgrade scriptlets?
Cheers,
Fraser
From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.
Attached patch fixes a typo in the LWCA key retrieval Python helper
script.
Pushed to master (e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f) under
one-liner rule.
Cheers,
Fraser
From e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
It will result in better error messages and help users to diagnose
bad profile configurations (especially with IPA).
Thanks,
Fraser
From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
On Fri, May 06, 2016 at 09:31:07PM -0500, Endi Sukma Dewata wrote:
> On 5/5/2016 1:54 AM, Fraser Tweedale wrote:
> >The attached patch allows "host-authority" to be used as valid
> >reference to the host authority when creating a LWCA. It makes life
> >eas
Attached patch does what it says on the tin ;)
Cheers, and have a good weekend y'all.
Fraser
From cabae0a050fb752b290ece28d5dac927f01b3c01 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 6 May 2016 16:03:57 +1000
Subject: [PATCH] Lightweight CAs: allow spec
Hullo all,
FreeIPA Lightweight CAs implementation is progressing well. The
remaining big unknown in the design is how to do renewal. I have
put my ideas into the design page[1] and would appreciate any and
all feedback!
[1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
Some brief commentary
The attached patch allows "host-authority" to be used as valid
reference to the host authority when creating a LWCA. It makes life
easier for me one the FreeIPA side :)
Cheers,
Fraser
From f1860c2315f13d458a33521f78327b8c3a84a246 Mon Sep 17 00:00:00 2001
From: Fraser Tweed
1 - 100 of 124 matches
Mail list logo