> On Apr 19, 2019, at 6:42 PM, Michael Ströder <mich...@stroeder.com> wrote:
>
> If a cert's key get compromised (e.g. laptop lost/stolen) I expect the user's
> cert to be revoked and a new cert to be issued for the *same* subject name.
> How to deal with that without revocation check?
Delete the name match, and match by the key fingerprint until the old
certificate is expired. Then go back to name checks.
> I think that people are asking for this feature because they just want to
> issue
> a new cert and *not* deal with any postfix map update.
CRLs don't make for reliable infrastructure. My view is that, pretending
otherwise would be disservice to the Postfix user community. It is much
easier to update the Postfix tables than to provision a working CRL
infrastructure.
I have no plans to spend any time working on CRL support to Postfix.
--
--
Viktor.
