Ren� G. Eberhard wrote:
>
> Hi
>
> I really like this status mail.
>
> > o Steve is currently working on (in no particular order):
> > Proper (or at least usable) certificate chain verification.
> How do you do that? Is there a requirement spec in the archive?
> I think I'm not the only one who is interested in that.
>
Actually this is long overdue and I've realised it can be handled
without the other dependencies if you have a (say)
get_issuer_certificate() callback (which will do something simple at
first but will get cleverer) and a get_trust_status() callback.
I've looked through the verify code again and this doesn't seem too hard
to do in a "usable" way. "Full" chain verification is a bit murky
because of the ambiguous nature of things like PKIX descriptions.
Anyway since its likely to involve some hard to predict consequences
when its enabled it seems a good idea to add the initial stuff soon.
I'll look into it...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
