On Sun, Dec 27, 2015 at 10:20:41PM +0000, Matt Caswell wrote:
> > I am very tempted to say that this misconfiguration *should fail,
> > it is far better to send an *empty* list of trusted CAs than send
> > the Vladivostok phone directory.
>
> I strongly disagree.
I did say *tempted*. In practice, I too would oppose that maximalist
stance.
> > Sending the whole bundle to every client is not a good idea. The
> > empty list works much better in every respect.
>
> This might be worthwhile as a *server side* solution. It should not
> prevent us from accepting long CertifcateRequests on the client.
We're on the same page, see the discussion on your MR in gitlab.
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
