On Mon, 30 Nov 2015, Tim Ruehsen wrote:
They are not, and for each and every one of those features we have had this
discussion of how to deal with them and whether we can enable them by
default or not.
Well, you threw the points into the discussion, in my understanding "If we
have these features, why not short-cut the checks of the trust chain".
Not quite.
You said a user trusting an intermediate CA would be a bad idea if the CA is
compromised (unless I'm understanding you wrong). I don't see how, and I asked
for an explanation. With the full knowledge this may be due to my own
shortcomings in PKI details.
I then mentioned some ways such a situation possibly can be detected with
existing options. Since I don't understand your objection, I can't say if the
extra options cover for the situation you think of or not.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
