[xmlsec] Re: GOST support in xmlsec
Aleksey Sanin
aleksey at aleksey.com
Tue Feb 14 07:39:16 PST 2006
>> Hm... Any particular reason for this? It seems to me that if you have
>> trusted certs then you need to use *all* of them. Plus I am a little
>> bit afraid that this might screw existing applications.
>
> It seems to me there is almost no reason to avoid installing trusted
> certs and corresponding CRLs to the system storage. So user can either
> provide the chain passing all necessary certs manually or suppose the
> root cert (or 1st some certs) are already present in the system.
>
> Unfortunately, we didn't found a way to add trusted certs to system
> store during cert chain verification.
>
Exactly! So why not to keep the existing logic:
- check the "current" trusted certs from the KeyManager (kind of session
trusted certs)
- then check the system trusted certs
I am not sure I like the idea of excluding system certs all together. It
does not sound right to me.
Aleksey
More information about the xmlsec
mailing list