In message <[EMAIL PROTECTED]> on Fri, 19 Nov 2004 00:45:01 +0100, "Dr. Stephen Henson" <[EMAIL PROTECTED]> said:
steve> The only case remaining is an application that defines a custom steve> purpose which includes its own broken CA tolerator. I've never steve> heard of such a thing being used so I'd say this is unlikely to steve> affect anything. If anyone knows otherwise please speak up! So? If it was broken before, it won't be more or less broken now. I don't see that as a reason not to do a proper CA check first, as that has nothing to do with the purpose per se. Note that the changes I've made to the code in v3_purp.c was mostly to get a more complete CA checker, and that the standard purpose checkers haven't really changed in functionality. There's one thing I'm a little dubious about. check_chain_extensions() still give X509_check_purpose() i as 3rd argument. I think the argument should really be derived from must_be_ca instead, but I'm not sure what to do when the value is -1. Maybe the expression 'must_be_ca > 0' should be used, considering how the standard purpose checkers work? Yeah, that seems to be the most sensible manouver... Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
