Steve, Please, please, please put your comments like this into the CVS source or man pages. Your knowledge of this stuff is priceless to us mere mortals! :-) Thank you. Rob
-----Original Message----- From: Dr S N Henson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 12:57 PM To: [EMAIL PROTECTED] Subject: Re: OCSP_basic_verify Tat Sing Kong wrote: > > (sobbing) I have been looking for the documentation, but there is none. All > I can see i the definition of > some flags: > > #define OCSP_NOCERTS 0x1 > #define OCSP_NOINTERN 0x2 > #define OCSP_NOSIGS 0x4 > #define OCSP_NOCHAIN 0x8 > #define OCSP_NOVERIFY 0x10 > #define OCSP_NOEXPLICIT 0x20 > #define OCSP_NOCASIGN 0x40 > #define OCSP_NODELEGATED 0x80 > #define OCSP_NOCHECKS 0x100 > #define OCSP_TRUSTOTHER 0x200 > #define OCSP_RESPID_KEY 0x400 > #define OCSP_NOTIME 0x800 > > What are they? > I meant you can check the ocsp.c source code and documentation and see how each option is related to the flag it sets. Most of the time you wont need any of the flags. However for the OCSP_basic_verify operation here's a summary... OCSP_NOINTERN don't look internally in the OCSP response for the signer's certificate only look in the certs STACK. Same as -no_intern in ocsp app. OCSP_NOSIGS don't verify the signature on the reponse. Same as no_sig_verify in ocsp app. OCSP_NOCHAIN don't chain verify the signer's certificate: this effectively means all other certificates in the chain must be in the trusted store. Same as no_chain. OCSP_NOVERIFY don't verify the signer's certificate in any way. Same as no_cert_verify OCSP_NOEXPLICIT don't support explicit trust of a root CA. OCSP_NOCASIGN don't allow an OCSP response to be signed by the issuing CA certificate. OCSP_NODELEGATED don't allow delegated trust. OCSP_NOCHECKS don't perform additional checks on the signer's certificate. Same as no_cert_checks OCSP_TRUSTOTHER if the reponse signer's cert is one of those in the 'certs' STACK then implicitly trust it: don't verify it or check it in any way. Same as trust_other Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
