On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote: > > If only an intermediate CA in the chain is trusted, setting this > > flag also allows the connection when the root CA is not trusted. > > Maybe I don't get your point. > The server cert is signed by an intermediate CA. This is signed by > (intermediate cert | root CA). Repeat the last step until you reach the root > CA. > The root CA is the only one you trust by definition (normally/often root CAs > are installed by your distribution). > I must disagree. For example, many authorities (as a company) have one root authority and then several subordinated authorities with different policies. For example, one is compliant to government requirements, while the other one issues cheaper certificates with less detailed validation. Then I want to trust only certificates issued by the one intermediate authority. Adding the one subauthority to trusted set and removing the root certificate from the set solves the issue for me. Especially when common TLS libraries cannot discriminate on certificate policy OIDs.
-- Petr
signature.asc
Description: PGP signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
