9 Sep
2016
9 Sep
'16
12:53 p.m.
On Sep 9, 2016, at 12:41 PM, Matthew West <matthew.t.west@gmail.com> wrote:
To this, my technical lead on the project said: ] Need to look at two things here – ] * CRL checks – so that revoked certs do not authenticate ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
It is apparent that he understands the implication of using the VeriSign chain as our CA. Is it possible to achieve a cert whitelist, say, filter on the e-mail address presented in the certificate?
Not on the client. See the Windows GUI for what's possible. The short answer is "not much".
Would that remediate any security concerns, or would that still leave room for abuse?
You probably can't do it, which means it doesn't help. Alan DeKok.