[openssl-dev] [openssl.org #4287] Option -attime for "openssl ts -verify"

[Broda, Frank]

Hi,

On Tue Feb 02 Stephen Henson wrote:
> On Tue Feb 02 15:56:01 2016, Frank.Broda at ipb-halle.de wrote:
> > Hi,
> > please find my pull request on
> > https://github.com/openssl/openssl/pull/610
> >
> > These two patches add an -attime option to "openssl ts -verify"
> > similar to the same option in "openssl verify". This allows checking 
> > of timestamp responses with expired certificates. Documentation has 
> > been updated as well.
>
>
> IMHO a better way to handle this is to make "ts" handle general verify 
> options the same way that ocsp, verify, cms, s_client and s_server do then 
> you get -attime support automatically.

The implementation for "ts -verify" would be straightforward. But 
for "ts -query" and "ts -reply" an existing "-policy" option produces 
conflicts. I'm not sure how to resolve this. Two alternatives come 
to my mind:

1.  Rename the original "-policy" option to something like "-requestpolicy" (please 
suggest alternatives). In this case it would not be possible to call "ts -query" 
with an "-attime" option (or all the other verify options which do not make sense 
in this context). The drawback is: it would break some existing code, because the 
original "-policy" option gets renamed.

2. Remove the original "-policy" option from the list of options and use the 
"OPT_V_OPTIONS" throughout. The policy would be then extracted from 
the X509_VERIFY_PARAM structure created during parsing of the verify options.
This seems not elegant to me. It would allow lots of options which make no 
sense in "ts -query" and "ts -reply". Probably I'd make a mess when 
trying to implement this.

Please excuse my poor understanding of the whole subject. There might be other 
strategies, but I'm not aware of them.

Kind regards,

Frank