You can however implement what you want without NSS changes, by wrapping the NSS certificate verification function.
By effectively reimplementing a certificate chain build algorithm.
Your algorithm is simple, because it handles only simple cases, but full implementation of rfc3280, cross-certification, policy constraints, handling cert renewal where the old CA cert is signed by the new cert makes this more complex.
I'd prefer to create a patch for NSS where :
- we can have an optionnal maximal age paramater for revocation information
- we can optionnally store a list of the CA up to the root with the revocation information for each of them.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
