On Thu, Nov 26, 2015 at 11:59:23AM +0100, Tim Ruehsen wrote:
> I understand the scenario but one question:
>
> "...want to trust as few CAs as possible..." is IMO not correct. You
> implicitly trust the rootCA (because you trust letsencryptCA), but just want
> to avoid to check for some reasons. Why ? Is it disk space or CPU cycle
> concerns ?

To clarify this, I don't have any root CAs in my trust store. It is
empty except for a few selected (intermediate) CAs that I trust because I
verified them through other ways.
I'm also using libcurl and not the CLI.
Right now it is not possible with the OpenSSL backend to verify connections,
because of the missing root CA, even though I told curl that I trust
the intermediate CAs by placing them into the trust store.
Allowing partial trust chains solves this problem.

I agree that it might ba a rare case that normal users don't have.
But I also don't see a security problem by allowing shorter trust chains.

Regards,
 Reiner

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html