Yo Achim! On Wed, 03 Apr 2019 20:52:36 +0200 Achim Gratz via devel <devel@ntpsec.org> wrote:
> Gary E. Miller via devel writes:
> >> If you can't get the root cert, you cannot validate anything that
> >> has this root as the trust anchor.
> >
> > And yet, yesterday I was able to use git head to validate using just
> > a Let's Encrypt chain file. So, yes, you need a root file to
> > validate against a root file, but you can validate against
> > intermediate files too. This is a good thing.
>
> _You_ moved the root up by declaring the intermediate to be the new
> root.
Except you specified a root is self signed. Which this is not.
It is obviously an intermediate on its face.
> Which (as was said multiple times before) just means that once
> you've found a cert that has ultimate trust no further checks will be
> performed, even when there are independent cert chains that would lead
> to other trust anchors.
No further check? I guess you missed by second paragraph in the email
you are replying to that mentions pinning, stapling, revocation lists,
date checking, etc.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpA2DETXqiRS.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
