[Pki-users] partition dogtag data in the ldap server?
Alexander Jung
alexander.w.jung at gmail.com
Fri Jul 24 07:07:55 UTC 2015
2015-07-22 22:43 GMT+02:00 Christina Fu <cfu at redhat.com>:
> Thank you Dave for bringing this email to my attention...somehow it got
> slipped by me.
>
> I just want to point out that if you do choose to "remove" certs from the
> internal ldap repository, please do not remove any certs that are revoked
> but not yet expired. Doing so will cause your CRL generation to miss the
> revoked certificates, and render them valid when checked upon by clients.
> It would be a big security violation of PKI.
>
Yes, I am planing to move only the expired (or revoked-expired certs).
While we do not really use the CRL any more (OCSP is the thing nowadays
:-), we keep it for compatibility...
Mit freundlichen Grüßen,
Alexander Jung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150724/a4adedf2/attachment.htm>
More information about the Pki-users
mailing list