cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 30 Nov 2015 09:52:38 +0100 (CET)

On Mon, 30 Nov 2015, Tim Ruehsen wrote:

>> What sort of problem do you see with this?
>
> I already gave a scenario where the requested change is dangerous. If you
> think it is not appropriate, please give some arguments.

(Let me preface this by saying that I'm not a TLS expert.)

You mentioned a case where the root CA was compromised as a reason. Can you
elaborate on how such a situation would be relevant?

We've seen compromised CAs several times in the past few years and we've seen
CAs do (stupid) mistakes. Comodo, diginotar, symantec and more.

In neither of those cases they would suddently populate my CA bundle with a
new faulty cert. Also, in neither of those cases (to my knowledge) would
trusting an intermediate CA had made the situation much different. In all
those cases the CAs handed out certs to sites that they really shouldn't have
and thus the already present root certs and intermediate certs were
unmodified. (Some of them were later removed and/or blacklisted, but that's a
slow process.)

I think the perfect remedy for a client to detect those things are cert
pinning (ie detecting when a site changes its cert) and possibly oscp
stapling. A remedy for a wider scale detection of these compromises is
Certificate Transparency.

Or am I wrong?

>> We don't normally fear adding options in libcurl, but this is a very
>> specialized option that very few users would know how to handle.
>
> ??? IMO, Reiner and Petr know what they want - and they seems to be the only
> ones who needs this feature so far. Why do you think they can't handle a CLI
> option ?

They would be examples of users in the subset of humans that understand this
topic and would understand what such an option does. The vast majority of
(lib)curl users have much less knowledge of protocols in general and TLS in
particular than Reiner and Petr. And in fact than most people who subscribe to
this mailing list.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-11-30

This message: [ Message body ]
Next message: Reiner Herrmann: "Re: [PATCH] openssl: allow partial trust chains"
Previous message: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"
In reply to: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"
Next in thread: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"
Reply: Tim Ruehsen: "Re: [PATCH] openssl: allow partial trust chains"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]