On 2013-01-28, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > On 01/28/2013 03:45 PM, Petr Pisar wrote: >> On 2013-01-25, Florian Weimer <fweimer@xxxxxxxxxx> wrote: >>> On 01/24/2013 12:30 PM, Stef Walter wrote: >>> >>>> So yes, as noted in the 'Detailed Description' of the feature, long term >>>> we hope to follow this up with further work to make all the crypto >>>> libraries be able to process the information in its entirety. >>> >>> Okay. In the long term, it might make sense to offload the entire >>> certificate chain validation to a daemon. >> >> Something like dirmngr? > > Good point, dirmngr comes pretty close. But if I recall correctly, > dirmngr is mainly used to retrieve user certificates over LDAP, for use > with S/MIME. dirmngr's purpose is to answer question `Has this certificate been revoked?'. It traverses whole authority chain, it support OCSP and CRL over HTTP and LDAP with proper caching. (It does not support partial CRLs, but that's a detail.) There is dirmngr-client tool to submit the question. I'm not sure if it verifies the certificate itself. The only problem is the upstream (Werner Koch & Co.) is a little bit unresponsive. -- Petr -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
