for those who don't read openssl-dev
-------- Original Message -------- Subject: [openssl.org #3016] openssl ts fix Date: Wed, 13 Mar 2013 16:13:31 +0100 From: Peter Sylvester via RT <r...@openssl.org> Reply-To: openssl-...@openssl.org CC: openssl-...@openssl.org Hi, I have "weakend" the Esscertid logic a bit. Only the signer certficate is checked and it must be in the first Esscertid. This resolves issues when TSAs add attribute certs etc. Since RFC 3161 does not require a client to check anything else than the presence of the signer cert (and even is is badly written), I think the verification of a "chain" in the ess was not appropriate logic. regards