On Wed, Nov 26, 2014 at 10:56:55PM +0100, Heiko Schlittermann wrote:
> That means, I can't exclude CAs that I have in my system default
> location. I can only *add* certificates. What's so bad with this?
>
> There are use cases where a peer certificate has to be verified against
> a small set of trusted CAs, and never ever against just any of the CAs
> found in the system default location? And for several reasons it is not
> an option to modify the system default trust store.
>
> IMHO we need to add an option like 'tls_load_default_certificates'. This
> option should be bool and expandable.
FWIW:
http://www.postfix.org/postconf.5.html#tls_append_default_CA
> The question arises about the default value of
> tls_load_default_certificates. The natural value should be 'no',
> because then tls_verify_certificates follows the principle of least
> astonishment.
Postfix switched to a default of "no" around 4 years ago (2.7.2
and other at the time supported releases). The reason was in fact
"least astonishment" and security consequences of trusting more
CAs than intended.
--
Viktor.
