New function and options to check OCSP response validity.

author: Dr. Stephen Henson <steve@openssl.org> 2001-02-24 13:50:06 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-02-24 13:50:06 +0000
commit: f196522159a514915e6d749a71febd08e7a09b71 (patch)
tree: b493a977d2737a5e5b7972174826b6b7ec867426 /CHANGES
parent: 4ff18c8c3efa9416aabb50fa6e9026c2197c961b (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 24be99630b..becaab49f8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,17 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Add OCSP_check_validity() function to check the validity of OCSP
+     responses. OCSP responses are prepared in real time and may only
+     be a few seconds old. Simply checking that the current time lies
+     between thisUpdate and nextUpdate max reject otherwise valid responses
+     caused by either OCSP responder or client clock innacuracy. Instead
+     we allow thisUpdate and nextUpdate to fall within a certain period of
+     the current time. The age of the response can also optionally be
+     checked. Two new options -validity_period and -status_age added to
+     ocsp utility.
+     [Steve Henson]
+
   *) If signature or public key algorithm is unrecognized print out its
      OID rather that just UNKOWN.
      [Steve Henson]
author	Dr. Stephen Henson <steve@openssl.org>	2001-02-24 13:50:06 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-02-24 13:50:06 +0000
commit	f196522159a514915e6d749a71febd08e7a09b71 (patch)
tree	b493a977d2737a5e5b7972174826b6b7ec867426 /CHANGES
parent	4ff18c8c3efa9416aabb50fa6e9026c2197c961b (diff)