On 31/10/17 16:02, Wouter Verhelst wrote: > Hi Matt, > > On 31-10-17 16:36, Matt Caswell wrote: >> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final >> "flags" argument? This basically finds the signer certificate and >> verifies the signature using OCSP_BASICRESP_verify(), but skips all the >> chain validation bit. > Just wanted to point out that that is, actually, a confusing name for > that flag. > > "NOVERIFY" seems to imply that there is no verification being done, at > all. Intuitively one senses that's not right, and that at least some > verification will be done (in casu the signature will still be checked); > but figuring out which part of the verification is being dropped and > which part isn't requires one to read either the library source or the > documentation, both of which are annoying if they can be avoided and do > not help for the readability of code that uses the flag in question. > > Might I suggest that this flag be renamed somehow, to something that > makes it more clear what exactly it does? > I agree its not a great name for it. Unfortunately we are stuck with it for compatibility reasons. If we renamed it we would break any code that is currently using it. We could introduce a new flag with a different name which does the same thing - but I'm not sure that does anything to make things less confusing. The best way forward is to document it. It isn't documented at all at the moment along with a number of other OCSP related functions and features. PRs welcome for that. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
