[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Michael Ströder michael at stroeder.com
Thu Dec 6 10:48:09 UTC 2018

On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> IIRC Apple's Safari is ending support for EV, and some say that EV
>> has failed, and are not sorry to see it go.
> This is very bad for security.  So far the only real failures have
> been:
> 1. Some cloud provider(s) actively want to reduce all TLS security to
>   the anonymous form provided by Let's encrypt, and are doing their worst
>   to sabotage EV providing CAs.

Quoting from Peter Gutmann's "Engineering Security",
section "EV Certificates: PKI-me-Harder"

    Indeed, cynics would say that this was exactly the problem that
    certificates and CAs were supposed to solve in the first place, and
    that “high-assurance” certificates are just a way of charging a
    second time for an existing service.

I fully agree with the above and I'm also for removing this crap from
the browser UI.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181206/970c15f5/attachment.bin>

More information about the openssl-users mailing list