Yo Achim! On Wed, 03 Apr 2019 20:23:37 +0200 Achim Gratz via devel <devel@ntpsec.org> wrote:
> Gary E. Miller via devel writes:
> >> I think openssl is expecting the root cert.
>
> OpenSSL expects a PKI directory (in which each cert has to have a
> certain filename so it doesn't have to read all files each time) or a
> bundle file with all the certs concatenated.
Not so much what OpenSSL expects as what Hal coded.
> > And in the case of ostfalia, I only could get their root cert
> > becuase I was talking to the guy. Much more common case is I just
> > have the end cert.
>
> If you can't get the root cert, you cannot validate anything that has
> this root as the trust anchor.
And yet, yesterday I was able to use git head to validate using just
a Let's Encrypt chain file. So, yes, you need a root file to validate
against a root file, but you can validate against intermediate files
too. This is a good thing.
> A root cert is nothing but a normal
> cert that is signed by the same public key that it certifies (plus
> some metadata around it). It's a "root" cert because there is no
> further way of verifying it.
Sure, if you ignore OSCP, revocation lists, pinning, etc. But not
really important to NTS. An NTS uses should be able to validate as
he wishes.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpG_NnOBGr6u.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
