[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] OCSP check the whole cert chain
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [PATCH] OCSP check the whole cert chain |
Date: |
Mon, 19 Jan 2015 15:33:47 +0100 |
On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <address@hidden> wrote:
>> > (There's an RFC for stapling multiple certs in progress.) - Matt
>> > Nordhoff"
>> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
>> > complete cert list and check each cert ? What do you think ?
>> Indeed, that would be the right thing to do. If there is a patch for
>> that I'll apply it.
> Hi Nikos,
> I made up a first patch to check the whole cert chain.
> Not sure what to do for e.g. www.google.com where the last cert in the chain
> is not verifiable via OCSP.
Thank you. I've applied a modified patch, where this is skipped. With
the updated patch, we check OCSP for the certificates we have
information to use. For the others, we simply cannot check them.
regards,
Nikos