On 2021/9/27 17:21, Marvin Häuser wrote:
> Hey Wenyi,
>
> Sorry, I cannot help with the time one, but "partial chain" is how virtually
> any other crypto-solution works out-of-the-box. Basically there is a
> disagreement about what defines a root certificate, and while some think it
> is the OpenSSL default of requiring a self-signed certificate for root, many
> people including myself strongly disagree and do not believe it follows from
> the RFCs. I'm not aware of any bad security implications of either model. So,
> this merely allows any certificate in the chain (the top one may be
> self-signed *if* it even is a certificate, it may just as well be a trusted
> public key for all we know) to be eligible to be added to the trust store and
> root a trust chain.
>
Thank you for your explanation in detail, it helps a lot.
X509_V_FLAG_PARTIAL_CHAIN is clear to me now.
Wenyi
> Further reading: https://github.com/openssl/openssl/issues/7871
>
> Cc CryptoPkg maintainers and edk2-devel for further feedback
>
> Best regards,
> Marvin
>
> On 27/09/2021 10:53, wenyi,xie via groups.io wrote:
>> Hello,
>>
>> I have a question about flag set in X509_STORE. Does anyone know why need to
>> set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to
>> X509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c)
>>
>> Thanks
>> Wenyi
>>
>>
>>
>>
>>
>
> .
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81170): https://edk2.groups.io/g/devel/message/81170
Mute This Topic: https://groups.io/mt/85896280/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
