Add OCSP doc. Rewrite 1.11.0 release notes.

3 files changed, 70 insertions, 42 deletions

diff --git a/doc/contents.txt b/doc/contents.txt
index 835fabf82..d55c36cc3 100644
--- a/doc/contents.txt
+++ b/doc/contents.txt
@@ -14,6 +14,7 @@ Contents
    filters
    pubkey
    x509
+   ocsp
    tls
    credentials_manager
    bigint
diff --git a/doc/ocsp.txt b/doc/ocsp.txt
new file mode 100644
index 000000000..51486dbc1
--- /dev/null
+++ b/doc/ocsp.txt
@@ -0,0 +1,34 @@
+OCSP
+========================================
+
+A client makes an OCSP request to what is termed an 'OCSP responder'.
+This responder returns a signed response attesting that the
+certificate in question has not been revoked.
+
+.. cpp:class:: OCSP::Request
+
+ .. cpp:function:: OCSP::Request(const X509_Certificate& issuer_cert, \
+                                 const X509_Certificate& subject_cert)
+
+      Create a new OCSP request
+
+ .. cpp:function:: std::string base64_encode() const
+
+      Encode the current OCSP request as a base64 string.
+
+.. cpp:class:: OCSP::Response
+
+  .. cpp:function:: OCSP::Response(const Certificate_Store& trusted_roots, \
+                                   const std::vector<byte>& response)
+
+       Deserializes *response* sent by a responder, and checks that it
+       was signed by a certificate associated with one of the CAs
+       stored in *trusted_roots*.
+
+  .. cpp:function:: bool affirmative_response_for(const X509_Certificate& issuer, \
+                                                  const X509_Certificate& subject) const
+
+      Returns true if and only if this OCSP response is not an error,
+      is signed correctly, and the response indicates that *issuer* is
+      not currently revoked.
+
diff --git a/doc/relnotes/1_11_0.txt b/doc/relnotes/1_11_0.txt
index 6321eafbe..d8bc5515c 100644
--- a/doc/relnotes/1_11_0.txt
+++ b/doc/relnotes/1_11_0.txt
@@ -1,45 +1,38 @@
 Version 1.11.0, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* The codebase has converted to C++11. Currently GCC 4.7 and Clang 3.1
-  are known to work.
-
-* The MemoryVector and SecureVector container types have been removed.
-  An alias of std::vector using an allocator that clears memory named
-  secure_vector is used for key material, and std::vector is used for
-  everything else.
-
-* The method of mlocking memory is much improved, and if the process
-  can mlock memory then it will be used automatically.
-
-* The TLS interface is now non-blocking and does not directly interact
-  with sockets. An example TLS server using asio is included which
-  scales to at least 64 processors.
-
-* X509_Store has been removed. x509_path_validate in x509path.h now
-  handles path validation and Certificate_Store handles storage of
-  certificates and CRLs.
-
-* Add support for OCSP
-
-* TLS v1.2 is now supported
-
-* TLS now supports session resumption. Session information can be
-  saved in memory or to an encrypted SQLite database.
-
-* TLS renegotiation is now supported
-
-* TLS client authentication is now supported
-
-* TLS SRP and PSK ciphersuites are now supported
-
-* TLS session tickets are now supported
-
-* TLS ECDH key exchange and ECDSA certificates are now supported
-
-* Add support for SHA-2 ciphersuites
-
-* Add support for anonymous DH/ECDH ciphersuites
-
-
-
+In this release, many new features of C++11 are being used in the
+library. Currently GCC 4.7 and Clang 3.1 are known to work. This
+version of the library cannot be compiled by or used with a C++98
+compiler.
+
+There have been many changes and improvements to :doc:`TLS
+<../tls>`. The interface is now purely event driven and does not
+directly interact with sockets.  New TLS features include TLS v1.2
+support, client certificate authentication, renegotiation, session
+tickets, and session resumption. Session information can be saved in
+memory or to an encrypted SQLite3 database. Newly supported TLS
+ciphersuite algorithms include using SHA-2 for message authentication,
+pre shared keys and SRP for authentication and key exchange, ECC
+algorithms for key exchange and signatures, and anonymous DH/ECDH key
+exchange.
+
+Support for :doc:`OCSP <../ocsp>` has been added. Currently only
+client-side support exists.
+
+The API for X.509 path validation has changed, with
+``x509_path_validate`` in x509path.h now handles path validation and
+``Certificate_Store`` handles storage of certificates and CRLs.
+
+The memory container types have changed substantially.  The
+MemoryVector and SecureVector container types have been removed, and
+an alias of std::vector using an allocator that clears memory named
+secure_vector is used for key material, with std::vector being used
+for everything else.
+
+The technique used for mlock'ing memory on Linux and BSD systems is
+much improved. Now a single page-aligned block of memory (the exact
+limit of what we can mlock) is mmap'ed, with allocations being done
+using a best-fit allocator and all metadata held outside the mmap'ed
+range, in an effort to make best use of the very limited amount of
+memory current Linux kernels allow unpriveledged users to lock.