From: "Marvin Häuser" <mhaeuser@posteo.de>
To: discuss@edk2.groups.io, xiewenyi2@huawei.com
Cc: jiewen.yao@intel.com, Jian J Wang <jian.j.wang@intel.com>,
xiaoyux.lu@intel.com, guomin.jiang@intel.com,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Subject: Re: [edk2-discuss] a question about X509 flag
Date: Mon, 27 Sep 2021 09:21:15 +0000 [thread overview]
Message-ID: <eb0a83c5-2837-c4ac-e490-f7a26499caaa@posteo.de> (raw)
In-Reply-To: <F1w5.1632732788218367077.BY2j@groups.io>
Hey Wenyi,
Sorry, I cannot help with the time one, but "partial chain" is how
virtually any other crypto-solution works out-of-the-box. Basically
there is a disagreement about what defines a root certificate, and while
some think it is the OpenSSL default of requiring a self-signed
certificate for root, many people including myself strongly disagree and
do not believe it follows from the RFCs. I'm not aware of any bad
security implications of either model. So, this merely allows any
certificate in the chain (the top one may be self-signed *if* it even is
a certificate, it may just as well be a trusted public key for all we
know) to be eligible to be added to the trust store and root a trust chain.
Further reading: https://github.com/openssl/openssl/issues/7871
Cc CryptoPkg maintainers and edk2-devel for further feedback
Best regards,
Marvin
On 27/09/2021 10:53, wenyi,xie via groups.io wrote:
> Hello,
>
> I have a question about flag set in X509_STORE. Does anyone know why need to set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to X509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c)
>
> Thanks
> Wenyi
>
>
>
>
>
next parent reply other threads:[~2021-09-27 9:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <F1w5.1632732788218367077.BY2j@groups.io>
2021-09-27 9:21 ` Marvin Häuser [this message]
2021-09-27 13:14 ` [edk2-discuss] a question about X509 flag wenyi,xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb0a83c5-2837-c4ac-e490-f7a26499caaa@posteo.de \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox