SSL fingerprint verification

Daniel Shahaf d.s at daniel.shahaf.name
Tue Aug 30 23:32:02 BST 2011


Johannes Stezenbach wrote on Wed, Aug 31, 2011 at 00:14:27 +0200:
> It's better to use just the one CA cert you need and hopefully trust.

Another thing: sslcacertfile requires a full certificate chain; the
proposed sslfingerprint requires only verifying the tail of the chain
(ie, the vendor's certificate, ignoring the CA's certificate).

Which may be more useful --- for the same reason that being able to
specify only the tail of the chain, rather than the full chain, in the
sslcacertfile might presumably be useful.




More information about the OfflineIMAP-project mailing list