Re: Antw: Re: OpenLDAP with ssl client certs
Quanah Gibson-Mount wrote:
--On Monday, November 04, 2013 8:54 AM +0100 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> Sorry, but if you insist on that, you didn't understand the concept: Any
> certificate signed (transitively) by a root CA is valid. There are no
> distinctions between more or less valid certificates; they are either
> valid or invalid. Even if you talk about a single CA, what do you mean? A
> name of a CA, or one specific certificate of a CA? Over time one CA may
> have more than one certificate.
Sorry, you are wrong. I suggest you think about this for a while until you
realize why blindly trusting any cert issues by any CA is not a good idea.
=> Cert pinning when validating client certs in the server also makes sense.
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 2.3 KB)