Martin Peylo

Just as thoughts: Probably obvious that in case of a self-signed certificate, relying on a CRL which might have been signed with a compromised key (if that is the revocation...

Since 510a082e87c39bedf4f17376d135ab876f6f433b, OSSL_CMP_MSG_check_received() fails if incoming message has pvno !=OSSL_CMP_PVNO - but ErrorMsgContent is **not** sent.

> Just combine caPubs and extraCerts (with roots only from caPubs) into one bucket and iterate figuring out the chains? I somewhat recall that there should already be a function...

>> A new generalInfo Extension could be defined that includes a list of KeyIdentifiers which build up a full chain for newly issued certificates (their issuer/serial should be also included)....

I don't think that there is any Extended Key Usage extension which would fit in case of signature-based message protection. E.g. a CA or RA (or EE) is in this...

> Re-using id-kp-serverAuth for CMP servers would be at least more secure than including anyExtendedKeyUsage. Quite the contrary. Having Extended Key Usage at all would actually expand the permitted usage...

I don't really see the benefit from having lower-case field names - but that's needlessly complicating things, to my understanding would not be in line how upstream OpenSSL is handling...