forgot to copy the list.. Hi,
Sorry, I missed the point that only referenced files are being replaced. On Sat, Dec 12, 2015 at 9:31 PM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > I'm not clear at all about --crl-verify. Would it ever be used in a > client? Would there be a security risk if a client erased the contents > of the file? (Would that allow a client to connect to a server that > has a revoked certificate which would otherwise not be allowed? > The risk appears to be even less than that of the user replacing ca (i.e very minor). With a new ca, the user can connect to a server presenting a cert from that ca. With crl replaced or removed, the client can connect to a server using a revoked cert. Both these cases also need dns or IP spoofing as you do not allow --remote to be modified by the user. Unless admins start misusing crl as an easy way of disabling a remote (among multiple remotes) listed in <connection> .. </connection> Selva
