[kmf-discuss] Qs on KMF policy
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Dec 17 08:34:44 PST 2007
Jan Pechanec wrote:
> On Fri, 14 Dec 2007, Huie-Ying Lee wrote:
>
>
>>> ok, it's saved but it is used only if I call crl functions, right? If I
>>> call kmf_validate_cert() and CRL policy attributes are set, the CRL file will
>>> be downloaded every time I call kmf_validate_cert() (?)
>>>
>>>
>> The CRL file will be downloaded only when the crl-get-crl-uri policy is set to
>> true. The downloaded CRL file will be saved at the file specified at
>> "crl-basefilename" policy.
>>
>> If crl-get-crl-uri=false and crl-basefilename is set, then the crl checking
>> inside kmf_validate_cert()
>> will not download the CRL file again, and it will use the CRL file specifiec at
>> crl-basefilename policy directly.
>>
>
> ok, and if crl-get-crl-uri is TRUE and crl-basefilename is set, will
> the CRL be downloaded every time I call kmf_validate_cert(), or will it be
> downloaded only when the current version expires?
>
> thanks, J.
>
>
Currently, the code does not check for expiration, it will keep
downloading. It
seems reasonable to add a check for expiration to avoid re-downloading
unnecessarily. Care to file an RFE for this?
The logic would be to check to see if the CRL already exists. If so,
don't download
again if it is still within the validity period.
I am switching this discussion to kmf-discuss at opensolaris.org, we should
be having this
discussion in the open.
I was out on vacation Friday, but have been following along and I plan
to update the
documentation around the validate/verify operations to try and clear up some
questions for future readers.
-Wyllys
More information about the kmf-discuss
mailing list