Re: CApath argument and Hash function

Thu, 27 Jan 2000 09:45:58 -0800 

Hi there,

On Thu, 27 Jan 2000, Dr Stephen Henson wrote:

[snip]

> Its a bit broken for several reasons...

[snip]

> This method only works for lookup by subject name: any other kind of
> lookup wont work. You could have multiple links but that would rapidly
> get painful, particularly if you have to copy the certificate multiple
> times due to a lack of symbolic links.

I'd add that it's even less glamourous on Win32 (which has no symbolic
links). Perhaps I'm being obtuse but I can't fully grasp why this approach
was used in the first place ... if one changed from using the CApath
parameter as a directory with this sort of jiggery pokery in it, and
instead regarded it as the path to a file that contains some kind of "more
sophisticated"[1] information (re: available certificates and their
paths), then the underlying technique could be overhauled without any
serious impact on applications (and users would just need to call the new
c_rehash to generate such a file and point CApath to that rather than the
directory - oh yeah, and remove all those annoying symbollic links at
last). :-)

[1] Ie. an index file of a format/description completely open to debate
... it could include the existing idea of indexing hash(subjectName) to
file and/or other potentially more useful things. Could even optionally
recurse/delegate to other index files to allow more scalability. Mind you,
this is effectively writing a built in file-based database solution to
avoid having to use real database solutions. But there must be something
better than what's in use, which apart from being ugly does have the
obvious problem you highlighted - you can only hunt down certs by
subjectName.

Cheers,
Geoff


----------------------------------------------------------------------
Geoff Thorpe                                    Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe    http://www.int.c2.net
----------------------------------------------------------------------

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to