Re: [exim-dev] Should we always load the default trust store…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
On Wed, Nov 26, 2014 at 10:56:55PM +0100, Heiko Schlittermann wrote:

> That means, I can't exclude CAs that I have in my system default
> location. I can only *add* certificates. What's so bad with this?
>
> There are use cases where a peer certificate has to be verified against
> a small set of trusted CAs, and never ever against just any of the CAs
> found in the system default location? And for several reasons it is not
> an option to modify the system default trust store.
>
> IMHO we need to add an option like 'tls_load_default_certificates'. This
> option should be bool and expandable.


FWIW:

    http://www.postfix.org/postconf.5.html#tls_append_default_CA


> The question arises about the default value of
> tls_load_default_certificates. The natural value should be 'no',
> because then tls_verify_certificates follows the principle of least
> astonishment.


Postfix switched to a default of "no" around 4 years ago (2.7.2
and other at the time supported releases). The reason was in fact
"least astonishment" and security consequences of trusting more
CAs than intended.

-- 
    Viktor.