[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Dec 6 20:06:58 UTC 2018

>    > Quoting from Peter Gutmann's "Engineering Security",
>    > section "EV Certificates: PKI-me-Harder"
>    >
>    >      Indeed, cynics would say that this was exactly the problem that
>    >      certificates and CAs were supposed to solve in the first place, and
>    >      that “high-assurance” certificates are just a way of charging a
>    >      second time for an existing service.
>    Peter Gutman, for all his talents, dislikes PKI with a vengeance.
>     EV is a standard for OV certificates done right.  Which involves more
>    thorough identity checks, stricter rules for the CAs to follow etc.
>     The real point of EV certificates is to separate CAs that do a good
>    job from those that do a more sloppy job, without completely distrusting
>    the mediocre CA operations.
So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money.

I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181206/a1c83a15/attachment-0001.bin>

More information about the openssl-users mailing list