Am 09.09.20 um 10:04 schrieb François Kooman: > On 9/8/20 6:38 PM, Arne Schwabe wrote: >> I really wonder which large deployment want to do that instead of a CA. >> I really understand the need for small and simple deployments. But for >> larger deployments a CA + CRL seems more useful for everything that I >> can come up with. > > It would be more for the situation where you already have a "parallel > trust", e.g. through an OAuth API where a CA would be redundant. Just > having an API to register fingerprints (which would act as a CRL at the > same time by simply removing fingerprints) is easier than having a > complete CA with CRL. > > Of course, all of this can also be done by using a CA, and something can > be said that if you operate on that scale you can also handle the extra > "cost" of a CA...
I am happy to review a patch that adds a allow_no_ca or similar flag to the tls-verify option that allows this but I don't have a real motivation to implement it myself. Just allowing ca not set with tls-verify script being set is a bit too dangerous for my taste. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
