cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] openssl: allow partial trust chains

From: Daniel Stenberg <>
Date: Mon, 30 Nov 2015 18:27:29 +0100 (CET)

On Mon, 30 Nov 2015, Tim Ruehsen wrote:

>> They are not, and for each and every one of those features we have had this
>> discussion of how to deal with them and whether we can enable them by
>> default or not.
> Well, you threw the points into the discussion, in my understanding "If we
> have these features, why not short-cut the checks of the trust chain".

Not quite.

You said a user trusting an intermediate CA would be a bad idea if the CA is
compromised (unless I'm understanding you wrong). I don't see how, and I asked
for an explanation. With the full knowledge this may be due to my own
shortcomings in PKI details.

I then mentioned some ways such a situation possibly can be detected with
existing options. Since I don't understand your objection, I can't say if the
extra options cover for the situation you think of or not.

List admin:
Received on 2015-11-30