[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Dec 6 20:16:05 UTC 2018
> On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>
> So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money.
>
> I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.
While the point of EV was that it certified a binding to a (domain + business name)
rather than just a domain with DV, it turned out that displaying the business name
was also subject to abuse, and the security gain proved elusive.
https://www.troyhunt.com/extended-validation-certificates-are-dead/
--
Viktor.
More information about the openssl-users
mailing list