AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

Viktor Dukhovni openssl-users at dukhovni.org
Fri Sep 16 14:21:31 UTC 2022


On Fri, Sep 16, 2022 at 02:11:38PM +0000, Andrew Lynch via openssl-users wrote:

> http://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt
> 
> I’ve also asked my colleagues why the download is http instead of https…

You should look to multiple independent sources to validate the
authenticity of a trust anchor public key.  Trusting "https" to prove
the validity of a WebPKI trust anchor is a bit too circular.

Also "https" is redundant for CRL and intermediate CA distribution,
since these are signed by the issuing CA.  That said, the same ".crt"
file is availabe via "https":

    https://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt

Trust anchor certificates are often delivered as an operating system
"package", and ideally the package maintainers apply proper due
diligence.

-- 
    Viktor.


More information about the openssl-users mailing list