#528 Investigate current PKI standards
Closed: Fixed None Opened 11 years ago by nkinder.

We should look through a number of the current PKI related RFCs to see if there is functionality we should bring up to date to match the standards. Some specific areas we should look at are:

We also know that there are some specific areas to investigate, like dealing with different subject encodings, so we should focus on the areas where we know we are not up to the latest standard.

The goal is not to add functionality for everything found in the RFCs. We want to make sure our existing functionality and features follow the standards. If there is functionality defined in the standards that we do not have, we should evaluate if there is a strong use-case and need for us to add that functionality. We should file separate tickets for functionality that we need to bring up to date as we do this investigation.


Here is a preliminary list of SCEP desired enhancements and fixes grouped in categories:

  • SCEP protocol enhancements:
    • Phase 1
      1. Ticket #621 - closed - Add SCEP support for Certificate Access
      2. Ticket #622 - closed - Add SCEP support for CRL Access
    • Phase 2:
      1. Ticket #623 - 10.2 - Add SCEP support for Client Certificate Renewal
    • Phase 3:
      1. Ticket #625 - FUTURE - Add SCEP support for GetNextCACert
      2. Ticket #626 - FUTURE - Add SCEP support for CA Key Rollover
    • Phase 4:
      1. Ticket #627 - FUTURE - Add SCEP support for GetCACaps
  • Possible encoding or algorithmic enhancements:
    1. Ticket #442 - 10.1.08 - CA throws exception while processing SCEP PKCSReq message when cert DB is in FIPS mode
    2. Ticket #443 - 10.1.08 - SCEP: Invalid OID in CertRep signerInfo when using SHA-2
    3. Ticket #615 - 10.1.06 - SCEP PKIOperation InvalidBERException
  • Functionality enhancements:
    1. Ticket #634 - 10.2 - Add pretty print for SCEP requests and responses
    2. Ticket #444 - 10.1.08 - Utilize database rather than plaintext flat files when utilizing SCEP one-time PIN

Here is a preliminary list of CRL desired enhancements and fixes grouped in categories:

  • CRL RFC enhancements:
    1. Ticket #636 - FUTURE - Add support for indirect CRLs and Certificate Issuer extension
  • CRL scalability and performance:
    1. Ticket #633 - 10.2 - CRL issuing point needs scalability review
    2. Ticket #632 - 10.2 - CRL publishing needs performance review
    3. Ticket #635 - 10.2 - Split crlIssuingPointRecord in sub-records to improve scalability and performance
    4. Ticket #628 - 10.2 - OCSP should support delta CRLs
  • CRL issues:
    1. Ticket #574 - 10.1.08 - CRL scheduler may go into the infinite loop
    2. Ticket #573 - 10.1.08 - Higher values of "next update grace period" are adding an extra hour to CRL's NextUpdate
    3. Ticket #572 - 10.1.08 - CRL scheduler adds extra CRL generation at midnight for daily schedules
    4. Ticket #489 - 10.1.08 - CRL updates only after server restart
    5. Ticket #490 - 10.1.08 - Adding CRL Issuing point with empty name
  • Functionality enhancements:
    1. Ticket #637 - 10.2 - Automatic management of CRL generation in clones
    2. Ticket #346 - 10.1.08 - Configuration wizard needs to properly configure default CRL issuing point when configuring cloned CA

Here is a preliminary list of CRMF desired enhancements and fixes:

  • Ticket #638 - 10.1.08 - DRM: key archival request from CRMFPopTool causes nullPointerException when viewing requests
  • Ticket #639 - 10.1.08 - Config wizard: adminpanel fails at nsIDOMCrypto.generateCRMFRequest when CS instance name (hence the DN) is long
  • Ticket #640 - 10.2 - CMC not able to handle multiple CSRs in one CMC enrollment request
  • Ticket #655 - FUTURE- Investigate option of using CMC with IE
  • Ticket #659 - FUTURE- Support sMIMECapabilities extensions in certificates (RFC 4262)

Metadata Update from @nkinder:
- Issue assigned to awnuk
- Issue set to the milestone: 10.1 - 06/13 (June)

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1098

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata