[erlang-questions] enforcing ssl trust chain

Jesper Pettersson jesper.pettersson@REDACTED
Mon Aug 16 14:30:23 CEST 2010


> My personal preference for default value was not to accept any
> path-validation errors as default, but the motivation was that it
> should be as easy as possible to get an ssl connection up and
> running. I am just back from vacation and I do not remember
> all the details of the discussion.  We are of course interested in all
> user feedback we can get.
> So if you have any arguments for or against please let us know.

In my opinion the default behavior should be very strict with regards to
certificate validation.
It should honor keyUsage and AKI/SKI extensions, check all CAs in the chain,
have the possibility to supply a CRL (or CRL location) etc.

Then there could be options to allow "quick-and-dirty" SSL where only basic
validation like the signature and validity time of the subject certificate
is verified.

In the path-validation case there could be an option specifying the maximum
chain depth allowed where 0 could mean skip CA validation. By default the
whole chain shoul be validated until we find a trusted self-signed root CA
(or a trusted intermediary CA).

Jesper Pettersson
Klarna AB


More information about the erlang-questions mailing list