On Tuesday 21 November 2006 08:30, Dr. Stephen Henson wrote:
> On Mon, Nov 20, 2006, Patrick Patterson wrote:
> > Hi All;
> >
> > Since I can't find a "Todo" or upcoming feature list on the openssl.org
> > site, I thought that I'd ask to the list what is being worked on for
> > 0.9.9.
> >
> > I'd also like to ask about the status of a couple of different items:
> >
> > 1: EC Certificates - from what I can tell, it would be rather tricky to
> > generate X.509 certificates using EC instead of RSA.

> That is supported in 0.9.9. Note that some features in EC standards have
> not been finalised though.

I know... however, there are beginning to be several implementations that are
moving towards EC certs, so it's good to see that OpenSSL is ahead of the

> > 2: Name Constraints processing.
> >
> > 3: RFC3280 "pdval" Policy and Path validation.

> What do you mean by "pdval"? Policy processing except for policy mappings
> (which isn't mandatory for RFC3280) support is present in 0.9.9 but it
> hasn't been tested for RFC3280 compliance yet.

PDVal = Path Discovery and Validation - essentially, having the validation
engine chase AIA, CRLdP, and check for validity of the presented certificate
and all of it's trust chain members in real time, across a potentially
dynamically created trust chain, as well as perform the construction and
validation of a policy tree, to ensure that Policy A presented by the client
certificate certified by CA C, maps to a required Policy B that is expressed
in the trust anchor D. Very complicated I know, but we're beginning to see
people that want to do this. Does the current plan call for this level of
RFC3280 implementation? If it does not (and even if it does), we would be
interested in helping out. Is this the right place to discuss architecture
for such a project?

> Some changes to make name constraint processing easier to implement have
> been added to 0.9.9 but not the processing itself. It is possible to
> generate certificates using name constraints extensions however.

I tried checking out the repository listed on openssl.org, however, I don't
see any tags for OpenSSL-0.9.9 - has it been branched yet? Also, I've seen
other tags such as:

OpenSSL-rfc3820-0_9_7-stable - which rfc3280 work was this?


Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org