[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Jakob Bohm jb-openssl at wisemo.com
Thu Dec 6 12:11:59 UTC 2018

On 06/12/2018 11:48, Michael Ströder wrote:
> On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
>> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>>> IIRC Apple's Safari is ending support for EV, and some say that EV
>>> has failed, and are not sorry to see it go.
>> This is very bad for security.  So far the only real failures have
>> been:
>> 1. Some cloud provider(s) actively want to reduce all TLS security to
>>    the anonymous form provided by Let's encrypt, and are doing their worst
>>    to sabotage EV providing CAs.
> Quoting from Peter Gutmann's "Engineering Security",
> section "EV Certificates: PKI-me-Harder"
>      Indeed, cynics would say that this was exactly the problem that
>      certificates and CAs were supposed to solve in the first place, and
>      that “high-assurance” certificates are just a way of charging a
>      second time for an existing service.
> I fully agree with the above and I'm also for removing this crap from
> the browser UI.
Peter Gutman, for all his talents, dislikes PKI with a vengeance.

EV is a standard for OV certificates done right.  Which involves more
thorough identity checks, stricter rules for the CAs to follow etc.

The real point of EV certificates is to separate CAs that do a good
job from those that do a more sloppy job, without completely distrusting
the mediocre CA operations.

Due to market forces, the good CAs also offer the weaker certificate
types at a lower price to compete with the mediocre CAs that are aren't
good/thorough enough to do the full job.

The way EV certs are highlighted in Browsers (Green bar etc.) was a way
to create market demand for the higher quality.  They could be indicated
in some other useful way of cause, but the distinguishment between "The
CA did something to check the name and real world address in the
certificate" (OV) versus "The CA checked the name and and real world
address thoroughly in accordance with the higher quality standard" (EV)
is still of some significance.

If you look at that long list of CA roots preinstalled in a typical
browser, only a minority are authorized, trusted and audited to issue
to the higher EV standard.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list