Why does OpenSSL report google's certificate is "self-signed"?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 31 18:45:56 UTC 2021

> On Mar 31, 2021, at 2:42 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> You are right - there’s no urgency in PQ signatures. 
> However, PQ KEM keys aren’t small. And, as I said, für austere links every unnecessary byte of crap hurts. 
> Also, sending root certs seems (marginally) useful only when the recipient is a Web browser. And even then I  assume most of the IT people would want to block the ability of a “mere” user to add an “unblessed” trusted root. 

I am not trying to suggest that including the root CA in the server's
chain is a best practice.  I am sticking with mostly harmless.

And even with DANE, my recommendation is to use an intermediate CA
with the DANE-TA(2) records, and not rely on the root CA being part
of the transmitted chain.


More information about the openssl-users mailing list