Adam, regarding your patch in #28 (0001-hash-the-data-in-the-token.patch ), can't you use cms_verify to get the output instead of doing asn.1 parsing?
In any case, doing short-lived PKI tokens instead of relying on revocation is probably easier if deployer can tolerate the risk.
Adam, regarding your patch in #28 (0001-hash- the-data- in-the- token.patch ), can't you use cms_verify to get the output instead of doing asn.1 parsing?
In any case, doing short-lived PKI tokens instead of relying on revocation is probably easier if deployer can tolerate the risk.