Hi, On Tue Feb 02 Stephen Henson wrote: > On Tue Feb 02 15:56:01 2016, [email protected] wrote: > > Hi, > > please find my pull request on > > https://github.com/openssl/openssl/pull/610 > > > > These two patches add an -attime option to "openssl ts -verify" > > similar to the same option in "openssl verify". This allows checking > > of timestamp responses with expired certificates. Documentation has > > been updated as well. > > > IMHO a better way to handle this is to make "ts" handle general verify > options the same way that ocsp, verify, cms, s_client and s_server do then > you get -attime support automatically.
The implementation for "ts -verify" would be straightforward. But for "ts -query" and "ts -reply" an existing "-policy" option produces conflicts. I'm not sure how to resolve this. Two alternatives come to my mind: 1. Rename the original "-policy" option to something like "-requestpolicy" (please suggest alternatives). In this case it would not be possible to call "ts -query" with an "-attime" option (or all the other verify options which do not make sense in this context). The drawback is: it would break some existing code, because the original "-policy" option gets renamed. 2. Remove the original "-policy" option from the list of options and use the "OPT_V_OPTIONS" throughout. The policy would be then extracted from the X509_VERIFY_PARAM structure created during parsing of the verify options. This seems not elegant to me. It would allow lots of options which make no sense in "ts -query" and "ts -reply". Probably I'd make a mess when trying to implement this. Please excuse my poor understanding of the whole subject. There might be other strategies, but I'm not aware of them. Kind regards, Frank -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
