On Sat, Sep 24, 2016 at 11:18 AM, Ken Hornstein <kenh(_at_)pobox(_dot_)com>
wrote:
The _code_ to do verify a certificate chain in OpenSSL is relatively
straightforward; I'm not worried about writing that. But sadly, the
configuration for all of that is lousy, and you start to see why web
browsers ship with their own set of root certificates. A brief survey
suggests to me that common open-source systems do not ship a set of
popular commercial root certificates. That would require people to get
root certificates ... and while I can imagine that SOME people, here
especially, would bother to do that, let's be honest: most people WON'T.
As we've seen, a lot of people don't use replyfilter despite it being
around for 4 years and something everyone complains about. So it would
be a fair amount of code that few people would use, and even less know
about.
Any system that does not maintain up-to-date certificates is just broken;
an invitation for security vulnerabilities to be exploited in situations
where expired or revoked certificates can be exploited. Validating the
certificate chain should be the default and any other option available
should come with language that strongly discourages their use. Doing
anything else would be giving people a false sense of security.
Thanks
Jeff
--
Jeffrey C. Honig <jch(_at_)honig(_dot_)net>
https://jchonig.withknown.com
GnuPG ID:14E29E13 <http://jch.honig.net/Home/pgp_key>
Keybase: jchonig <https://keybase.io/jchonig>
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers