SSL fingerprint verification
Daniel Shahaf
d.s at daniel.shahaf.name
Tue Aug 30 22:32:02 UTC 2011
Johannes Stezenbach wrote on Wed, Aug 31, 2011 at 00:14:27 +0200:
> It's better to use just the one CA cert you need and hopefully trust.
Another thing: sslcacertfile requires a full certificate chain; the
proposed sslfingerprint requires only verifying the tail of the chain
(ie, the vendor's certificate, ignoring the CA's certificate).
Which may be more useful --- for the same reason that being able to
specify only the tail of the chain, rather than the full chain, in the
sslcacertfile might presumably be useful.
More information about the OfflineIMAP-project
mailing list