WKD proper behavior on fetch error

raf gnupg at raf.org
Mon Jan 18 00:57:23 CET 2021


On Sun, Jan 17, 2021 at 10:27:24PM +0100, Stefan Claas via Gnupg-users <gnupg-users at gnupg.org> wrote:

> On Sun, Jan 17, 2021 at 10:16 PM Juergen Bruckner via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
> 
> Please try to accept that GitHub's SSL cert is *valid*, or do you think
> that a CA certifies and invalid cert?

Please try to accept that github's certificate is only
valid for the domains that the CA certified it as being
valid for (which are listed in the certificate itself
for all to see), and that it is not valid for any other
domain (that the CA did not certify it as being valid
for).

I thought the passport example was very good. A slight
tweak (for wildcard certificates) is to imagine a
passport that identifies a person and their children,
but not their grand children. I think such passports
exist (or used to), but only for very young children.
It's not a perfect analogy, but I hope it paints the
picture well enough.

cheers,
raf




More information about the Gnupg-users mailing list