[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: OpenLDAP with ssl client certs

Quanah Gibson-Mount wrote:
> --On Monday, November 04, 2013 8:54 AM +0100 Ulrich Windl
> <Ulrich.Windl@rz.uni-regensburg.de> wrote:
>> Sorry, but if you insist on that, you didn't understand the concept: Any
>> certificate signed (transitively) by a root CA is valid. There are no
>> distinctions between more or less valid certificates; they are either
>> valid or invalid. Even if you talk about a single CA, what do you mean? A
>> name of a CA, or one specific certificate of a CA? Over time one CA may
>> have more than one certificate.
> Sorry, you are wrong.  I suggest you think about this for a while until you
> realize why blindly trusting any cert issues by any CA is not a good idea.

=> Cert pinning when validating client certs in the server also makes sense.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature