> > and you've just multiplied your public key computation > > load by a factor of three of four.
> No, you "merely" double it. One - check that the identity cert is > valid, two > - that the attribute cert that *you* are interested in (out of a > dozen that > may be attached to this identity cert) is OK. Not even that, because you save the cost of determining authorization some other way. The other common way is some kind of secure connection to an authorization box. one extra PK computation is probably less costly than that. (And if you cache the certificate's validity, you only need to do that once on a given server for a given user.) DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
