OP did not ask for PKI. It is obvious that directly trusted server certificate cannot be revoked. The necessary option is that ANY directly trusted certificate should be treated as self signed. (For example server cert is trusted, but CA is not) There might be other users, who trusts CA, but does not trusts server cert directly, so server cert were signed by CA for sake of that subset of users.
----- Original Message ----- From: "Jochen Bern" Jochen.Bern@LINworks.de To: stunnel-users@stunnel.org Sent: Wednesday, November 02, 2011 2:05 PM Subject: Re: [stunnel-users] Why does verify=3 require the entire cert chain to be present in cafile?
Whether "the PKI model" ***ALLOWS*** overlaying a Web of Trust in addition to the hierarchical structure is debatable. As I already mentioned, not going through the CA certs effectively disables (automated) CRL checking, which is a pretty dubious "improvement".