3 Nov
2011
3 Nov
'11
7:12 a.m.
al_9x@yahoo.com wrote:
I am not suggesting you should abandon normal CA based validation, but that in addition to it, you could support an alternative validation model where the user can grant trust to the server cert, which renders any further validation unnecessary. Considering you support running without any validation whatsoever, doesn't make sense that you object to this alternative approach.
Makes sense indeed.
Just to be sure I understand your needs: the server would send the whole chain, but the client would only verify the peer certificate, right? Otherwise it might be hard to perform peer certificate validation without its signing certificate.
Mike