Verified Commit 2a249c89 authored by Steve Kerrison's avatar Steve Kerrison
Browse files

Chore: A little extra TL;DR and a formatting tweak

parent e813b096
......@@ -27,6 +27,11 @@ Summarising what happens:
3. The service establishes trust in the identities claimed by the client ✔️
4. The client **does not** establish trust in the certificates its given ❌
To see the evidence, you can jump straight to this articles [survey][#a-survey]
of clients. To see how to deal with it, here's a [proposed
enhancement](https://gitlab.com/microsec-public/acme.sh/-/commit/c2d7e7e60ae3f136b2266f4c801b97b0273d2856)
to one such client.
### So what?
This means that the certificates we get from the likes of Let's Encrypt aren't
......@@ -376,9 +381,8 @@ certificates.
Standards be damned, there's nothing stopping clients from offering "hardened"
modes where some of these checks are performed now. In fact, the author has
[forked `acme.sh`](https://gitlab.com/microsec-public/acme.sh) to provide [an
example of such
hardening](https://gitlab.com/microsec-public/acme.sh/-/commit/c2d7e7e60ae3f136b2266f4c801b97b0273d2856).
[forked `acme.sh`](https://gitlab.com/microsec-public/acme.sh) to provide
[an example of such hardening](https://gitlab.com/microsec-public/acme.sh/-/commit/c2d7e7e60ae3f136b2266f4c801b97b0273d2856).
The modification performs the following:
- Verifies the issued certificate and chain against the system's trust store,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment