> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Salz, Rich > Sent: Sunday, March 29, 2015 09:31 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] Certification Path Building / non-hierachical PKI > > > Are there any plans or patches for such a feature? > > We have no plans for this. It should be relatively straightforward to implement a non-hierarchical X.509 PKI in an OpenSSL-based application using the certificate verification callback, though. The necessary graph algorithms are well-known and I believe there are existing open-source implementations (or it could be done in some language other than C that's more amenable to graph processing). It's not trivial, but between the RFC and a basic understanding of graph processing it's pretty clear what needs to be done. A larger concern is probably the processing time for checking certification paths; as the RFC points out, this kind of graph-path processing grows quickly with the size of the graph. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
