Message361120
I agree that having both would be best, but there is a world of difference between a must-have (peer_cert_chain) and what seems to be a nice-to-have (authed_peer_cert_chain).
My request for clarification was not that I don't understand bags, etc. (see my first message), but that I don't understand the concrete use case in mind. That is, when is it that the app-logic would differ because the EE cert validated using one path versus another?
To explain the 'must-have' better, imagine one peer sending [A, B, C], where 'A' is the EE cert, and the other peer having TA [F, E, D], where 'F' is the self-signed root TA and 'D' is the Issuer that signed 'C'. The complete chain is [A-F] and this is what the SSL-level code will use during the handshake. But post-handshake, without peer_chain_cert(), there is NO WAY for the app-logic to create a valid chain. This is broken, for the reason mentioned in my first message. |
|
Date |
User |
Action |
Args |
2020-01-31 15:23:17 | kwatsen | set | recipients:
+ kwatsen, jcea, pitrou, christian.heimes, asmodai, njs, maker, Hiroaki.Kawai, underrun, dstufft, dsoprea, miki725, mmasztalerczuk, chet, joernheissler, chaen, chrisburr |
2020-01-31 15:23:17 | kwatsen | set | messageid: <1580484197.75.0.110408090094.issue18233@roundup.psfhosted.org> |
2020-01-31 15:23:17 | kwatsen | link | issue18233 messages |
2020-01-31 15:23:17 | kwatsen | create | |
|