Add support for CRLs partitioned by reason code.

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 966a90021c9b6e62d777e523aaddad604c40a027..6e1bf9c0a4a220410e977e93a989bc8494f4449b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,31 @@
 
  Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]
 
+  *) Support for CRLs partitioned by reason code. Reorganise CRL processing
+     code and add additional score elements. Validate alternate CRL paths
+     as part of the CRL checking and indicate a new error "CRL path validation
+     error" in this case. Applications wanting additional details can use
+     the verify callback and check the new "parent" field. If this is not
+     NULL CRL path validation is taking place. Existing applications wont
+     see this because it requires extended CRL support which is off by
+     default.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Support for freshest CRL extension.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Initial indirect CRL support. Currently only supported in the CRLs
+     passed directly and not via lookup. Process certificate issuer
+     CRL entry extension and lookup CRL entries by bother issuer name
+     and serial number. Check and process CRL issuer entry in IDP extension.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
   *) Add support for distinct certificate and CRL paths. The CRL issuer
      certificate is validated separately in this case. Only enabled if
      an extended CRL support flag is set: this flag will enable additional