[erlang-questions] Intermediate certificate as CA

Fred Dushin fred@REDACTED
Mon Mar 19 01:35:14 CET 2018

Interesting.  That entails I trust an intermediate in my certificate chain for connections from peers, which on the face of it doesn't seem correct, as it widens the collection of trusted peers unnecessarily.  Couldn't there be cases where you only want to trust peers from a certain CA (e.g., an issuing authority that is strictly below your own issuer), but not your own issuer?  

E.g., something like

+- ICA1
   +- server
   +- ICA2
      +- client

but where you only want to accept connections from ICA2.

(I don't have this particular problem, but it does come to mind.)

Semantically it's a little strange, too, but that can always be fixed with documentation.

Is this because the implementation depends on OpenSSL, or just the design?  If the latter, I would suspect that changing the behavior to specify own certificate chains outside of the trust store would introduce nontrivial upgrade issues for existing users, unwitting, or otherwise.


> On Mar 18, 2018, at 5:58 PM, Ingela Andin <ingela.andin@REDACTED> wrote:
> All intermediate CA:s should be placed in the cacertfile option together with trusted ROOT certs, this way of configuring has been inherited from OpenSSL.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180318/a1724c64/attachment.htm>

More information about the erlang-questions mailing list