On Thursday 26 November 2015 10:43:07 Petr Pisar wrote: > On Thu, Nov 26, 2015 at 10:25:31AM +0100, Tim Ruehsen wrote: > > > If only an intermediate CA in the chain is trusted, setting this > > > flag also allows the connection when the root CA is not trusted. > > > > Maybe I don't get your point. > > The server cert is signed by an intermediate CA. This is signed by > > (intermediate cert | root CA). Repeat the last step until you reach the > > root CA. > > The root CA is the only one you trust by definition (normally/often root > > CAs are installed by your distribution). > > I must disagree. For example, many authorities (as a company) have one root > authority and then several subordinated authorities with different policies. > For example, one is compliant to government requirements, while the other > one issues cheaper certificates with less detailed validation. Then I want > to trust only certificates issued by the one intermediate authority. Adding > the one subauthority to trusted set and removing the root certificate from > the set solves the issue for me. Especially when common TLS libraries > cannot discriminate on certificate policy OIDs.
I just don't like this behavior being the default. I have nothing against some kind of configuration / option. Tim ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
