On Sat, 10 Feb 2018 12:16:18 -0600
> I like how it was already pointed out, by you and possibly others, on
> openbsd-misc *and* this list, that most people do not use the CA / SAN
> verification routines correctly.
> Then you mention that "well, invalid certs like that shouldn't be
You missed the point entirely, he didn't ask the question.
From the commit message I'm inclined to think it clamps the year for
good or bad but I was just pointing out his argument was potentially
OpenSSL only started in 1998! and any trusted CA that issues a pre 1970
cert is broken anyway. That was his assertion of it working that
way and being insecure.
The point wasn't that I knew but that he hadn't given LibreSSL the
chance despite it's merits over OpenSSL. I assure you that LibreSSL
devs know a lot more than us about LibreSSL. Not raising issue with
them is arrogance.
But yes, I use public key crypto not CA certificates for anything I
implement, except a website where I hope letsencrypt start doing
things properly and less traditionally.
I actually don't care one bit aside from dev time wasted for a
worse outcome. I simply saw a wrong
> The problem with the OpenBSD community is not bluntness. Arrogance
> and trolling are problems for me. And you know what? Honestly, I
> don't find too many OpenBSD devs have that problem. Their users,
> however...their users....
Atleast you did enter some discussion and William might have learnt
that passing imsgs can be more secure and protect the keys!
Received on Sat Feb 10 2018 - 19:06:46 UTC