On 1/4/07, Faidon Liambotis <parav...@debian.org> wrote:
Hi,
Thank you for your comments.
Alon Bar-Lev wrote:
> On 1/3/07, Faidon Liambotis <parav...@debian.org> wrote:
>> Ok, here's another try, even though I didn't get any comments on the
>> first one :-)
>>
>> This is a totally different approach; the previous one was flawed in at
>> least two aspects:
>
> This is better.
> But you should use CertVerifyCertificateChainPolicy in order to verify
> chain, you should have two policies, one for server and one for
> client...
I've thought about it but didn't implement it because the only policy I
could think of was the nsCertType checking which is already being done
by OpenSSL if the user requested it.
If you integrate into Microsoft trust providers, you should also
support CTL and such. So that the Domain/Computer policy will be
applied to OpenVPN.
But this is just my opinion... :)
Best Regards,
Alon Bar-Lev.
