[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Dec 6 20:06:58 UTC 2018
> > Quoting from Peter Gutmann's "Engineering Security",
> > section "EV Certificates: PKI-me-Harder"
> >
> > Indeed, cynics would say that this was exactly the problem that
> > certificates and CAs were supposed to solve in the first place, and
> > that “high-assurance” certificates are just a way of charging a
> > second time for an existing service.
>
> Peter Gutman, for all his talents, dislikes PKI with a vengeance.
> EV is a standard for OV certificates done right. Which involves more
> thorough identity checks, stricter rules for the CAs to follow etc.
>
> The real point of EV certificates is to separate CAs that do a good
> job from those that do a more sloppy job, without completely distrusting
> the mediocre CA operations.
So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money.
I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181206/a1c83a15/attachment-0001.bin>
More information about the openssl-users
mailing list