Re: cvs commit: openssl/crypto/ocsp ocsp.h ocsp_err.c ocsp_vfy.c

[Richard Levitte - VMS Whacker]

From: [EMAIL PROTECTED]

steve>   +  *) Add additional OCSP certificate checks. These are those specified
steve>   +     in RFC2560. This consists of two separate checks: the CA of the
steve>   +     certificate being checked must either be the OCSP signer certificate
steve>   +     or the issuer of the OCSP signer certificate. In the latter case the
steve>   +     OCSP signer certificate must contain the OCSP signing extended key
steve>   +     usage. This check is performed by attempting to match the OCSP
steve>   +     signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
steve>   +     in the OCSP_CERTID structures of the response.
steve>   +     [Steve Henson]
steve>   +

I don't recall, and don't have good access to the source right now:
does verification also work with VA certs, that is, completely
separate signer certificates that you configure on the client end as
well as the server end?

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]