OCSP chain revocation


I'm doing some testing to use OCSP with SecureTransport, and I want to check if kSecTrustOptionRequireRevPerCert is still relevant or if the whole chain is always checked.

I did some testing and seems that the whole chain is always checked.

Cheers, Jose


Hello Jose,

A few things here, when you mentioned "SecureTransport," did you mean that you are using the SecureTransport APIs? If so, please move to the Security Options APIs with Network framework for any TLS work.

Regarding kSecTrustOptionRequireRevPerCert, I'm not sure on the status of this flag. If you want to open a TSI I can do some research, but performing full chain validation does sound correct to me off the top of my head.

Matt Eaton
DTS Engineering, CoreOS