Re: OCSP_BASICRESP_verify() in 1.1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matt,

On 31-10-17 16:36, Matt Caswell wrote:
> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
> "flags" argument? This basically finds the signer certificate and
> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
> chain validation bit.
Just wanted to point out that that is, actually, a confusing name for
that flag.

"NOVERIFY" seems to imply that there is no verification being done, at
all. Intuitively one senses that's not right, and that at least some
verification will be done (in casu the signature will still be checked);
but figuring out which part of the verification is being dropped and
which part isn't requires one to read either the library source or the
documentation, both of which are annoying if they can be avoided and do
not help for the readability of code that uses the flag in question.

Might I suggest that this flag be renamed somehow, to something that
makes it more clear what exactly it does?

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux