Re: [PATCH] Tying validation errors to certificates

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Mon, 03 Jun 2013 11:25:18 -0600

On 06/02/2013 05:35 AM, Amos Jeffries wrote:
> On 29/05/2013 8:59 p.m., Tsantilas Christos wrote:
>> When Squid sends errors to the certificate validation daemon, the daemon
>> cannot tell which certificate caused which error. This is especially bad
>> because the validator has to return that same information in the
>> response (the response format requires the validator to match the error
>> to the certificate).
>> This patch adjust the validation request format to provide that
>> information using a set of the following key=value pairs:
>>
>> error_name_N=the name of the certificate error number N
>> error_cert_N=the ID of the certificate which caused error_name_N
>>
>> where N is non-negative integer. N values start from zero and increase
>> sequentially.
>>
>> This is a Measurement Factory project
>
> I think this problem is a side-effect of not following my suggestion
> earlier to split the certificates across concurrency channels. Yes?
> If that were done each channel would be dealing with only one
> certificate and its errors. No need to explicitly tie them together like
> this.

Hi Amos,

    The helper is validating the entire chain, not just individual
certificates. In fact, correctly validating individual certificates in
isolation is not possible in many cases. Helper concurrency channels
exist to parallelize processing of multiple independent helper
transactions. Certificate chain validation is a single helper transaction.

HTH,

Alex.
Received on Mon Jun 03 2013 - 17:25:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 04 2013 - 12:00:27 MDT