[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Viktor Dukhovni openssl-users at dukhovni.org
Thu Dec 6 20:16:05 UTC 2018


> On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> 
> So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money.
> 
> I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.

While the point of EV was that it certified a binding to a (domain + business name)
rather than just a domain with DV, it turned out that displaying the business name
was also subject to abuse, and the security gain proved elusive.

  https://www.troyhunt.com/extended-validation-certificates-are-dead/

-- 
	Viktor.



More information about the openssl-users mailing list