Update notes

svn path=/openssl/README; revision=136
author: Rob Austein <sra@hactrn.net> 2006-08-02 19:38:09 +0000
committer: Rob Austein <sra@hactrn.net> 2006-08-02 19:38:09 +0000
commit: 59c58be8c6498d8f2c43597b1068f47d78b8a78e (patch)
tree: e28258fb24338e885b043c66a2334ca3d8869bf2 /openssl/README
parent: d35e92660f57787e3e35add33c4f4d4f65254d5b (diff)
1 files changed, 12 insertions, 4 deletions
diff --git a/openssl/README b/openssl/README
index 2c990199..28bda784 100644
--- a/openssl/README
+++ b/openssl/README
@@ -232,10 +232,18 @@ Random reminders and notes to myself:
   that the authoritative definition of RDIs is ISO 10747, available as
   http://www.acm.org/sigs/sigcomm/standards/iso_stds/IDRP/10747.TXT.
 
-- Need to add NIDs for RFC 3779 extensions to
-  crypto/x509v3/v3_purp.c:supported_nids[] and call our path
-  validation functions from crypto/x509/x509_vfy.c:X509_verify_cert().
-
 - Should we check entire chain or only up to ctx->last_untrusted?  For
   the moment I'm checking the entire chain because that's more likely
   to yield a correct answer, albiet perhaps inefficiently.
+
+- "openssl verify" reports an unknown critical exception error for
+  certificatePolicies (RFC 3280 4.2.1.5).
+
+- Right way to handle error reporting from xxx_canonize() functions is
+  almost certainly a callback; this would fit fairly well with the
+  callback mechanism OpenSSL already uses in X509_validate_cert().
+
+- xxx_canonize() functions may need a mode where they just whine and
+  do not attempt to correct the extension.
+
+- Other error checking needed: duplicate extensions.
author	Rob Austein <sra@hactrn.net>	2006-08-02 19:38:09 +0000
committer	Rob Austein <sra@hactrn.net>	2006-08-02 19:38:09 +0000
commit	59c58be8c6498d8f2c43597b1068f47d78b8a78e (patch)
tree	e28258fb24338e885b043c66a2334ca3d8869bf2 /openssl/README
parent	d35e92660f57787e3e35add33c4f4d4f65254d5b (diff)