On Sat, Sep 24, 2016 at 11:18 AM, Ken Hornstein <[email protected]> wrote:
> The _code_ to do verify a certificate chain in OpenSSL is relatively > straightforward; I'm not worried about writing that. But sadly, the > configuration for all of that is lousy, and you start to see why web > browsers ship with their own set of root certificates. A brief survey > suggests to me that common open-source systems do not ship a set of > popular commercial root certificates. That would require people to get > root certificates ... and while I can imagine that SOME people, here > especially, would bother to do that, let's be honest: most people WON'T. > As we've seen, a lot of people don't use replyfilter despite it being > around for 4 years and something everyone complains about. So it would > be a fair amount of code that few people would use, and even less know > about. > Any system that does not maintain up-to-date certificates is just broken; an invitation for security vulnerabilities to be exploited in situations where expired or revoked certificates can be exploited. Validating the certificate chain should be the default and any other option available should come with language that strongly discourages their use. Doing anything else would be giving people a false sense of security. Thanks Jeff -- Jeffrey C. Honig <[email protected]> https://jchonig.withknown.com GnuPG ID:14E29E13 <http://jch.honig.net/Home/pgp_key> Keybase: jchonig <https://keybase.io/jchonig>
_______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
