Why does OpenSSL report google's certificate is "self-signed"?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Mar 31 18:45:56 UTC 2021
> On Mar 31, 2021, at 2:42 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>
> You are right - there’s no urgency in PQ signatures.
>
> However, PQ KEM keys aren’t small. And, as I said, für austere links every unnecessary byte of crap hurts.
>
> Also, sending root certs seems (marginally) useful only when the recipient is a Web browser. And even then I assume most of the IT people would want to block the ability of a “mere” user to add an “unblessed” trusted root.
I am not trying to suggest that including the root CA in the server's
chain is a best practice. I am sticking with mostly harmless.
And even with DANE, my recommendation is to use an intermediate CA
with the DANE-TA(2) records, and not rely on the root CA being part
of the transmitted chain.
--
Viktor.
More information about the openssl-users
mailing list