[gnutls-devel] OCSP / gnutls_ocsp_status_request_is_checked()

Tim Ruehsen tim.ruehsen at gmx.de
Mon Jan 19 14:36:31 CET 2015


for caching and user information purposes I would like to see
gnutls_ocsp_status_request_is_checked() (or a new function, see below)
return three states:

1. no stapled OCSP response
2. cert is valid
3. cert has been revoked

Since we have to check the whole cert chain (you already mentioned rfc 6961),
I suggest a new function that returns an array of result codes, one for each 
cert in the chain. Similar to gnutls_certificate_get_peers(). Each result code 
with e.g. Notavail, Valid or Revoked. 
This approach would work with the current state (one stapled response) and 
with future implementations of rfc 6961 (without it, OCSP stapling seems 
totally incomplete).

Maybe it's time to contact the Apache and Nginx people to think about rfc 

What do you think ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150119/881daa3a/attachment.sig>

More information about the Gnutls-devel mailing list