diff options
| author | Sebastian Benoit <benno@cvs.openbsd.org> | 2019-11-29 17:58:12 +0000 |
|---|---|---|
| committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2019-11-29 17:58:12 +0000 |
| commit | 3577b049b22a5b0fa4963fc551eef4f62e9c338a (patch) | |
| tree | d6d52f24d9b998ae79006ec7474410441f18eea0 /usr.sbin/rpki-client/TODO.md | |
| parent | 61d7a5098a32f1499633764b1618b03c344d1fc1 (diff) | |
remove two items from the todo list
Diffstat (limited to 'usr.sbin/rpki-client/TODO.md')
| -rw-r--r-- | usr.sbin/rpki-client/TODO.md | 11 |
1 files changed, 0 insertions, 11 deletions
diff --git a/usr.sbin/rpki-client/TODO.md b/usr.sbin/rpki-client/TODO.md index f70857a3ee2..d8b4708f425 100644 --- a/usr.sbin/rpki-client/TODO.md +++ b/usr.sbin/rpki-client/TODO.md @@ -17,17 +17,6 @@ The following are unclear to me. period overlap. I need to see if there's a more programmatic way to check before commiting the routes to output. -- (Not a particular helpful security measure, but...) The validators - should all be run in their own process: the syntax parser should not - be performing the route validation. This is a mechanical step, as all - the logic to do so is in place. - -- (**Important**.) Using `X509_STORE` and validating using - `X509_verify_cert` is overkill and costs us the most in performance - because it effectively re-validates the entire chain. Instead, apply - the immediate parent as the "trusted" certificate once it has been - validated. - - (**Important**.) Stipulating `X509_V_FLAG_IGNORE_CRITICAL` might be dangerous. Which extensions are being ignored should be double-checked. |