dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
378 stars 138 forks source link

Code submission by Josh Roys: [PATCH] Add support for RFC4043 permanent identifiers #660

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #88. Originally filed by vakwetu (@vakwetu) on 2012-01-19 17:11:16:


Date: Fri, 16 Dec 2011 14:35:41 -0500

Hello,

Attached is a patch to implement (half of) RFC4043 Permanent Identifiers. The cases where the identifierValue is not supplied are not supported. (This was tested on pki 1.3.x and sometime soon I will test it on 9.0.x also.)

I'm not sure if the code reformatting is done yet, so I'll rebase this patch later if need be. Also, either a V2 of this patch or a follow-up will add pretty-printing.

Josh

pki-bot commented 4 years ago

Comment from vakwetu (@vakwetu) at 2012-01-19 17:11:27

attachment 0001-Add-support-for-RFC4043-permanent-identifiers.patch

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2012-11-13 21:14:10

Thanks for submitting the code. A couple questions: 1. in the Description it says that this "is a patch to implement (half of) RFC4043 Permanent Identifiers." Which half is that? (what's implemented and what's not?) 2. Do you know of any publicly available client that supports this RFC? Thanks! - Christina

pki-bot commented 4 years ago

Comment from roysjosh at 2012-11-13 21:26:57

Hello Christina,

You're welcome. According to the RFC, there are four combinations of two OPTIONAL values (search for "The various combinations are detailed below:" in the RFC). Cases three and four where the identifierValue is absent are not supported with the current code. However, re-reading the text it is possible I misinterpreted it and the language is geared towards the client w.r.t. a missing identifierValue requiring the use of a serialNumber... For comment 2, I was unable to find much on existing implementations, and I even found a few incorrectly implemented (I don't actually recall finding a "good" one). Due in part to this and changing requirements on our end, it looks like this extension won't be necessary for us.

Josh

pki-bot commented 4 years ago

Comment from vakwetu (@vakwetu) at 2017-02-27 14:07:06

Metadata Update from @vakwetu: