cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 30 Nov 2015 18:27:29 +0100 (CET)

On Mon, 30 Nov 2015, Tim Ruehsen wrote:

>> They are not, and for each and every one of those features we have had this
>> discussion of how to deal with them and whether we can enable them by
>> default or not.
>
> Well, you threw the points into the discussion, in my understanding "If we
> have these features, why not short-cut the checks of the trust chain".

Not quite.

You said a user trusting an intermediate CA would be a bad idea if the CA is
compromised (unless I'm understanding you wrong). I don't see how, and I asked
for an explanation. With the full knowledge this may be due to my own
shortcomings in PKI details.

I then mentioned some ways such a situation possibly can be detected with
existing options. Since I don't understand your objection, I can't say if the
extra options cover for the situation you think of or not.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-11-30

This message: [ Message body ]
Next message: Francisco Moraes: "Re: http/2 GET occasional hang"
Previous message: Daniel Stenberg: "Re: http/2 GET occasional hang"
In reply to: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"
Next in thread: Reiner Herrmann: "Re: [PATCH] openssl: allow partial trust chains"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]