On Fri, Nov 30, 2007 at 10:34:28AM +0100, Marc Stern wrote:
> To be generic, we should be able to set some options based on the cert CA,
> because we could use several types of certs (like when dealing with
> national certs from European countries).
Having security policy decided based on a *regex match* against a
textual representation of the issuer DN sounds pretty scary to me!
So the config options that are needed currently seem to be something
like this:
# select whether to validate the whole chain or just the EE cert
SSLOCSPValidateWholeChain <flag>
# set maximum time skew and age for response validity period
SSLOCSPResponseWindow <skew-secs> <max-age-secs>
# set CA certs for response signature verification
SSLOCSPResponseCAFile <file>
SSLOCSPResponseCAPath <directory>
These (and existing config options) could conceivably be wrapped into
issuer-CA-specific containers in the configuration, like:
<SSLOCSPValidationPolicy issuer-cert-file>
SSLOCSPFoo on
</SSLOCSPValidationPolicy>
which does some magic to allow selection of policy based on matching the
EE's issuer DN against the DNs of the certs in the issuer-cert-file; but
that's all blue sky stuff.
joe
