Initial OCSP certificate verify. Not complete,

it just supports a "trusted OCSP global root CA".
author: Dr. Stephen Henson <steve@openssl.org> 2001-01-17 01:31:34 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-01-17 01:31:34 +0000
commit: 81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch)
tree: 9c61e9161ee5332e99d091153a4cd242160b9180 /CHANGES
parent: a068630a2038ff167d29cdaed828161719355531 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index c11115318e..d0e2699364 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,16 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Initial OCSP certificate verification added to OCSP_basic_verify()
+     and related routines. This uses the standard OpenSSL certificate
+     verify routines to perform initial checks (just CA validity) and
+     to obtain the certificate chain. Then additional checks will be
+     performed on the chain. Currently the root CA is checked to see
+     if it is explicitly trusted for OCSP signing. This is used to set
+     a root CA as a global signing root: that is any certificate that
+     chains to that CA is an acceptable OCSP signing certificate.
+     [Steve Henson]
+
   *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
      extensions from a separate configuration file.
      As when reading extensions from the main configuration file,
author	Dr. Stephen Henson <steve@openssl.org>	2001-01-17 01:31:34 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-01-17 01:31:34 +0000
commit	81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch)
tree	9c61e9161ee5332e99d091153a4cd242160b9180 /CHANGES
parent	a068630a2038ff167d29cdaed828161719355531 (diff)