[gnutls-devel] OCSP / gnutls_ocsp_status_request_is_checked()
Tim Ruehsen
tim.ruehsen at gmx.de
Mon Jan 19 14:36:31 CET 2015
Hi,
for caching and user information purposes I would like to see
gnutls_ocsp_status_request_is_checked() (or a new function, see below)
return three states:
1. no stapled OCSP response
2. cert is valid
3. cert has been revoked
Since we have to check the whole cert chain (you already mentioned rfc 6961),
I suggest a new function that returns an array of result codes, one for each
cert in the chain. Similar to gnutls_certificate_get_peers(). Each result code
with e.g. Notavail, Valid or Revoked.
This approach would work with the current state (one stapled response) and
with future implementations of rfc 6961 (without it, OCSP stapling seems
totally incomplete).
Maybe it's time to contact the Apache and Nginx people to think about rfc
6961?
What do you think ?
Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150119/881daa3a/attachment.sig>
More information about the Gnutls-devel
mailing list