NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Wed Apr 3 18:59:30 UTC 2019

Yo Achim!

On Wed, 03 Apr 2019 20:52:36 +0200
Achim Gratz via devel <devel at ntpsec.org> wrote:

> Gary E. Miller via devel writes:
> >> If you can't get the root cert, you cannot validate anything that
> >> has this root as the trust anchor.  
> >
> > And yet, yesterday I was able to use git head to validate using just
> > a Let's Encrypt chain file.  So, yes, you need a root file to
> > validate against a root file, but you can validate against
> > intermediate files too.  This is a good thing.  
> _You_ moved the root up by declaring the intermediate to be the new
> root.

Except you specified a root is self signed.  Which this is not.

It is obviously an intermediate on its face.

>  Which (as was said multiple times before) just means that once
> you've found a cert that has ultimate trust no further checks will be
> performed, even when there are independent cert chains that would lead
> to other trust anchors.

No further check?  I guess you missed by second paragraph in the email
you are replying to that mentions pinning, stapling, revocation lists,
date checking, etc.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190403/789b913d/attachment.bin>

More information about the devel mailing list