[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list
Michael Ströder
michael at stroeder.com
Thu Dec 6 10:48:09 UTC 2018
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> IIRC Apple's Safari is ending support for EV, and some say that EV
>> has failed, and are not sorry to see it go.
>
> This is very bad for security. So far the only real failures have
> been:
>
> 1. Some cloud provider(s) actively want to reduce all TLS security to
> the anonymous form provided by Let's encrypt, and are doing their worst
> to sabotage EV providing CAs.
Quoting from Peter Gutmann's "Engineering Security",
section "EV Certificates: PKI-me-Harder"
Indeed, cynics would say that this was exactly the problem that
certificates and CAs were supposed to solve in the first place, and
that “high-assurance” certificates are just a way of charging a
second time for an existing service.
I fully agree with the above and I'm also for removing this crap from
the browser UI.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181206/970c15f5/attachment.bin>
More information about the openssl-users
mailing list