[openssl-users] Certification Path Building / non-hierachical PKI
Michael Wojcik
Michael.Wojcik at microfocus.com
Sun Mar 29 15:08:38 UTC 2015
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Salz, Rich
> Sent: Sunday, March 29, 2015 09:31
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Certification Path Building / non-hierachical PKI
>
> > Are there any plans or patches for such a feature?
>
> We have no plans for this.
It should be relatively straightforward to implement a non-hierarchical X.509 PKI in an OpenSSL-based application using the certificate verification callback, though. The necessary graph algorithms are well-known and I believe there are existing open-source implementations (or it could be done in some language other than C that's more amenable to graph processing). It's not trivial, but between the RFC and a basic understanding of graph processing it's pretty clear what needs to be done.
A larger concern is probably the processing time for checking certification paths; as the RFC points out, this kind of graph-path processing grows quickly with the size of the graph.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
More information about the openssl-users
mailing list