Hm... Any particular reason for this? It seems to me that if you have
trusted certs then you need to use *all* of them. Plus I am a little
bit afraid that this might screw existing applications.
It seems to me there is almost no reason to avoid installing trusted
certs and corresponding CRLs to the system storage. So user can either
provide the chain passing all necessary certs manually or suppose the
root cert (or 1st some certs) are already present in the system.
Unfortunately, we didn't found a way to add trusted certs to system
store during cert chain verification.
Exactly! So why not to keep the existing logic:
- check the "current" trusted certs from the KeyManager (kind of session
trusted certs)
- then check the system trusted certs
I am not sure I like the idea of excluding system certs all together. It
does not sound right to me.
Aleksey
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
