On Tue, Oct 25, 2022 at 4:01 AM <tho...@habets.se> wrote: > Yeah I agree that not forcing verify-full when using system CAs is a > giant foot-gun, and many will stop configuring just until it works. > > Is there any argument for not checking hostname when using a CA pool > for which literally anyone can create a cert that passes?
I don't think so. For verify-ca to make any sense, the system CA pool would need to be very strictly curated, and IMO we already have that use case covered today. If there are no valuable use cases for weaker checks, then we could go even further than my 0002 and just reject any weaker sslmodes outright. That'd be nice. --Jacob
