Moved from tech@ to misc@ ...
On 08/09/12 06:27, Justin N. Lindberg wrote: > I do believe this would allow me as a client to validate certs signed > by the intermediate certs with no problem, and in fact I seem to recall > actually doing the same thing before with self-signed certs for my own > use, but my hesitation with this method is that those intermediate > certs will then be trusted unconditionally, since I've just promoted > them to root status by appending them to /etc/ssl/cert.pem. I thought You always put trust into the whole chain (that's why you need intermediate certs in the first place), starting with your trusted root. If that trust turns out to be misplaced in any one of the components (root, intermediate, server), you lose. Here, implicit trust is just as strong as explicitly trusting a single server certificate. The latter provides maximum control (trusting only a single chain instead of many), but becomes infeasible quickly. It's a trade-off, and it's good to make an informed decision based on the application requirements. Then you know what risk you're actually accepting, and why you do it. Moritz
