In v1.0.8 we added sign-off checks to ensure that the enrollment list at remote settings matched the enrollment list for the current full filter. There are a few situations where the new checks are too strict.
1) We might want to add a new intermediate in the crlite_enrolled = False state between full filter updates. These are useful for preloading.
2) We might want to unenroll an issuer from CRLite (because of misbehavior of some kind) without pushing a full filter update.
We should relax the signoff checks to allow remote settings to differ from the aggregator's enrollment list for intermediates in the crlite_enrolled = False state.
In v1.0.8 we added sign-off checks to ensure that the enrollment list at remote settings matched the enrollment list for the current full filter. There are a few situations where the new checks are too strict. 1) We might want to add a new intermediate in the
crlite_enrolled = Falsestate between full filter updates. These are useful for preloading. 2) We might want to unenroll an issuer from CRLite (because of misbehavior of some kind) without pushing a full filter update.We should relax the signoff checks to allow remote settings to differ from the aggregator's enrollment list for intermediates in the
crlite_enrolled = Falsestate.