So Patrick recently wrote about Pathfinder, a system we've made, consisting of a daemon and a library, that allows applications to do proper RFC-3280 dynamic path validation. It's easy to use, it follows the standard quite comprehensively, and it works.

But what good's a library that no one uses?

We'll be taking it upon ourselves to create and submit patches to common PKI-aware applications to enable them to use Pathfinder.

For my first trick, I'm pleased to announce The Pathfinder Patch for Apache 2.2.8. It allows mod_ssl to properly validate all incoming client certificates before any content is dished out. May it work for you and forever solve all your problems!

Not only does it handle various extensions that are common in a bridged trust environment like the TSCP, such as policy constraints and name constraints, the most compelling new feature this automatically gives apache is that you don't have to restart the server every time a CRL is updated.

I'll be continuing to work on the patch a bit more, but as it is it works, and I'd be very happy to hear from anybody who'd like to give it a try!