On 29/10/2016 13:37, Jeremy Harris wrote:
On 27/10/16 21:09, Renaud Allard wrote:In openssl source, you can see that the call should be something like: OCSP_basic_verify(bs, verify_other, store, verify_flags);That's overstating the case, "Can be". The question is, when is is appropriate and safe from a security standpoint to verify the OCSP proof using an alternate set-of-trust-anchors?
If you specify a certificate to be trusted, then you assume the responsibility of the certificate you specified. It is your configuration, you don't "must" add a "third-party" certificate if you don't want to. Here, this is how letsencrypt operates, so there is not much choice if you want any kind of OCSP stapling with them. Asking if adding the certificate is safe is about the same as asking if letsencrypt is safe (or not). The thing is, more and more people are now using letsencrypt and even switching from other providers to go there. And currently, exim doesn't let you do stapling with letsencrypt.
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
