Dear Peter, On 3/24/26 4:11 PM, Peter Gutmann wrote:
Just out of interest, is the trusted cert set now union( X9_root, every_CA_in_existence ) or is the X9 root siloed off?
Currently it is indeed unioned
Once you've set up your trusted CA system, always check whether a random cert from GoDaddy can get in just as easily as one from the trusted CA. Or to put it another way, unless it's the free-for-all of web PKI use never use the system's trusted cert store when security really matters.
That's a good point. Right now some other integrations require more traditional CA signed certs, but ideally when setting up the TLS connection I'd whitelist the approved CAs rather than just use the system trust with X9 patched in.
- Raghu
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
