NTS: removed "not implemented" on server ca
Gary E. Miller
gem at rellim.com
Wed Apr 3 18:59:30 UTC 2019
Yo Achim!
On Wed, 03 Apr 2019 20:52:36 +0200
Achim Gratz via devel <devel at ntpsec.org> wrote:
> Gary E. Miller via devel writes:
> >> If you can't get the root cert, you cannot validate anything that
> >> has this root as the trust anchor.
> >
> > And yet, yesterday I was able to use git head to validate using just
> > a Let's Encrypt chain file. So, yes, you need a root file to
> > validate against a root file, but you can validate against
> > intermediate files too. This is a good thing.
>
> _You_ moved the root up by declaring the intermediate to be the new
> root.
Except you specified a root is self signed. Which this is not.
It is obviously an intermediate on its face.
> Which (as was said multiple times before) just means that once
> you've found a cert that has ultimate trust no further checks will be
> performed, even when there are independent cert chains that would lead
> to other trust anchors.
No further check? I guess you missed by second paragraph in the email
you are replying to that mentions pinning, stapling, revocation lists,
date checking, etc.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190403/789b913d/attachment.bin>
More information about the devel
mailing list