On 09/09/2020 11:21, Arne Schwabe wrote:
Am 09.09.20 um 10:04 schrieb François Kooman:
On 9/8/20 6:38 PM, Arne Schwabe wrote:
I really wonder which large deployment want to do that instead of a CA.
I really understand the need for small and simple deployments. But for
larger deployments a CA + CRL seems more useful for everything that I
can come up with.
It would be more for the situation where you already have a "parallel
trust", e.g. through an OAuth API where a CA would be redundant. Just
having an API to register fingerprints (which would act as a CRL at the
same time by simply removing fingerprints) is easier than having a
complete CA with CRL.
Of course, all of this can also be done by using a CA, and something can
be said that if you operate on that scale you can also handle the extra
"cost" of a CA...
I am happy to review a patch that adds a allow_no_ca or similar flag to
the tls-verify option that allows this but I don't have a real
motivation to implement it myself.
Just allowing ca not set with tls-verify script being set is a bit too
dangerous for my taste.
I too would like to see an external list of fingerprints be made available.
https://community.openvpn.net/openvpn/ticket/1323#ticket
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
