20 Sep
2013
20 Sep
'13
5:36 a.m.
On 2013-09-20 04:30, Javier wrote:
But a bit contradictory to accept a certificate that has been issued by a CA you don't trust, just for the main purpose of establish an SSL connection.
It seems to be contradictory, but it is not. You often cannot control the certificate of your peer server. In case its certificate is issued by a large CA, you really want to make sure you're connecting to this specific server, and not any other server with certificate issued by the same CA. Web browsers use CNAME/SubjectAltName verification to solve the same problem in a different way.
Mike