You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To support checking the revocation status of an end entity certificate we need to be able to provide an optional set of one or more parsed CRLs (see #54 for parsing).
At a minimum we will need to augment the end entity verify_is_valid_tls_client_cert function to provide a list of parsed CRLs to consider when verifying the certificate. It may be prudent to be forward looking here and also allow specifying a "scope" for whether the CRLs are considered during complete path building, or just for the end entity certificate. Initially we will only support consulting the CRLs for the end entity certificate but in the future could augment the implementation for use during path building.
In some frameworks (e.g. boring SSL, openssl, s2n) users can instead provide a callback function that can be invoked by the validation logic at the time a revocation check is required. The callback can be invoked with subject information and consumers can implement their own logic for providing the CRL for that subject that may include fetching it from a distribution point, or loading it from disk. We should consider whether this is functionality webpki should provide.
The text was updated successfully, but these errors were encountered:
To support checking the revocation status of an end entity certificate we need to be able to provide an optional set of one or more parsed CRLs (see #54 for parsing).
At a minimum we will need to augment the end entity
verify_is_valid_tls_client_certfunction to provide a list of parsed CRLs to consider when verifying the certificate. It may be prudent to be forward looking here and also allow specifying a "scope" for whether the CRLs are considered during complete path building, or just for the end entity certificate. Initially we will only support consulting the CRLs for the end entity certificate but in the future could augment the implementation for use during path building.In some frameworks (e.g. boring SSL, openssl, s2n) users can instead provide a callback function that can be invoked by the validation logic at the time a revocation check is required. The callback can be invoked with subject information and consumers can implement their own logic for providing the CRL for that subject that may include fetching it from a distribution point, or loading it from disk. We should consider whether this is functionality webpki should provide.
The text was updated successfully, but these errors were encountered: