On Monday 30 November 2015 11:52:27 Reiner Herrmann wrote: > On Thu, Nov 26, 2015 at 11:59:23AM +0100, Tim Ruehsen wrote: > > I understand the scenario but one question: > > > > "...want to trust as few CAs as possible..." is IMO not correct. You > > implicitly trust the rootCA (because you trust letsencryptCA), but just > > want to avoid to check for some reasons. Why ? Is it disk space or CPU > > cycle concerns ? > > To clarify this, I don't have any root CAs in my trust store. It is > empty except for a few selected (intermediate) CAs that I trust because I > verified them through other ways.
Yes, you verified them once - verification occurs at a point in time. But you drop automatically verification once and for all. IMO, in normal situations it is nice to have automatic checks each time you use a cert. If you do this without (lib)curl, this might be fine for your use case. But for regular / non-expert (lib)curl users, this seems not applicable (cert pinning and ocsp are not enabled by default - so only available to 'expert' users). Do you need a signed CA at all ? If it is just for private (or company side) use, you won't need a signed CA at all (if you don't check the chain at all). If you also use it for public purposes (signing server certs), it could be a good idea to check the whole chain even for internal connections. If not, your customers recognize anything wrong with the chain before you do it - and that makes you look lame to your customers... > Right now it is not possible with the OpenSSL backend to verify connections, > because of the missing root CA, even though I told curl that I trust the > intermediate CAs by placing them into the trust store. > Allowing partial trust chains solves this problem. As already said, I agree with you in that this is a feature that should definitely go into (lib)curl. But why not being a bit conservative and *not* changing default behavior ? > I agree that it might ba a rare case that normal users don't have. > But I also don't see a security problem by allowing shorter trust chains. I do, but I have to find some time to answer Daniels last mail. Regards, Tim ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
