cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Petr Pisar <>
Date: Thu, 26 Nov 2015 10:43:07 +0100

On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote:
> > If only an intermediate CA in the chain is trusted, setting this
> > flag also allows the connection when the root CA is not trusted.
> Maybe I don't get your point.
> The server cert is signed by an intermediate CA. This is signed by
> (intermediate cert | root CA). Repeat the last step until you reach the root
> CA.
> The root CA is the only one you trust by definition (normally/often root CAs
> are installed by your distribution).
I must disagree. For example, many authorities (as a company) have one root
authority and then several subordinated authorities with different policies.
For example, one is compliant to government requirements, while the other one
issues cheaper certificates with less detailed validation. Then I want to
trust only certificates issued by the one intermediate authority. Adding the
one subauthority to trusted set and removing the root certificate from the set
solves the issue for me. Especially when common TLS libraries cannot
discriminate on certificate policy OIDs.

-- Petr

List admin:

Received on 2015-11-26