[erlang-questions] enforcing ssl trust chain
Mon Aug 16 14:30:23 CEST 2010
> My personal preference for default value was not to accept any
> path-validation errors as default, but the motivation was that it
> should be as easy as possible to get an ssl connection up and
> running. I am just back from vacation and I do not remember
> all the details of the discussion. We are of course interested in all
> user feedback we can get.
> So if you have any arguments for or against please let us know.
In my opinion the default behavior should be very strict with regards to
It should honor keyUsage and AKI/SKI extensions, check all CAs in the chain,
have the possibility to supply a CRL (or CRL location) etc.
Then there could be options to allow "quick-and-dirty" SSL where only basic
validation like the signature and validity time of the subject certificate
In the path-validation case there could be an option specifying the maximum
chain depth allowed where 0 could mean skip CA validation. By default the
whole chain shoul be validated until we find a trusted self-signed root CA
(or a trusted intermediary CA).
More information about the erlang-questions