On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote:
> > If only an intermediate CA in the chain is trusted, setting this
> > flag also allows the connection when the root CA is not trusted.
>
> Maybe I don't get your point.
> The server cert is signed by an intermediate CA. This is signed by
> (intermediate cert | root CA). Repeat the last step until you reach the root
> CA.
> The root CA is the only one you trust by definition (normally/often root CAs
> are installed by your distribution).
>
I must disagree. For example, many authorities (as a company) have one root
authority and then several subordinated authorities with different policies.
For example, one is compliant to government requirements, while the other one
issues cheaper certificates with less detailed validation. Then I want to
trust only certificates issued by the one intermediate authority. Adding the
one subauthority to trusted set and removing the root certificate from the set
solves the issue for me. Especially when common TLS libraries cannot
discriminate on certificate policy OIDs.

-- Petr

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html