+- Cuberite Forum (https://forum.cuberite.org)
+-- Forum: Cuberite (https://forum.cuberite.org/forum-4.html)
+--- Forum: Development (https://forum.cuberite.org/forum-13.html)
+--- Thread: Yggdrasil Auth (/thread-1446.html)
Pages:
1
2
RE: Yggdrasil Auth - xoft - 04-14-2014
Saving the root CA is a nice idea, and it should work, until either the root CA and or any of the intermediate CAs go out of validity, which is in 2030+. Elegant solution.
I don't think the server has more certificates, because each cert is paid and why get more if you can reuse the same cert as long as the domain name matches?
RE: Yggdrasil Auth - bearbin - 04-14-2014
Also, what if they change CA?
RE: Yggdrasil Auth - worktycho - 04-14-2014
Stick another root cert in. Servers can't have multiple certs but in this situation we're the client so we can have as many certs as we can fit on the drive.
@xoft Saving the root CA is elegant, that's why everyone does that.
RE: Yggdrasil Auth - xoft - 04-14-2014
Yeah, everyone does that and look where it got them - now they can't easily revoke certs after heartbleed
I don't like the idea of keeping multiple CA certs and having to take care of them. I'm willing to do this if the cert doesn't change; the first time it changes, the code goes out and we use fingerprints.