[stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OP did not ask for PKI. It is obvious that directly trusted server 
certificate cannot be revoked.
The necessary option is that ANY directly trusted certificate should be 
treated as self signed.
(For example server cert is trusted, but CA is not) There might be other 
users, who trusts CA,
but does not trusts server cert directly, so server cert were signed by CA
for sake of that subset of users.

----- Original Message ----- 
From: "Jochen Bern" <Jochen.Bern at LINworks.de>
To: <stunnel-users at stunnel.org>
Sent: Wednesday, November 02, 2011 2:05 PM
Subject: Re: [stunnel-users] Why does verify=3 require the entire cert chain 
to be present in cafile?

Whether "the PKI model" ***ALLOWS*** overlaying a Web of Trust in
addition to the hierarchical structure is debatable. As I already
mentioned, not going through the CA certs effectively disables
(automated) CRL checking, which is a pretty dubious "improvement".

• Previous message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Next message (by thread): [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]