Get rid of the Certificate Verification functionality #11
Comments
|
That puts the validation upstream to what ever got the thumbprint. That's fine if its manual. But if its acquired programmatically can you still validate it if need be? From: Dave Wyattmailto:notifications@github.com By specifying a certificate thumbprint (or object, etc), we're already saying we trust the key pair associated with that hash, regardless of whether it's self-signed or expired, etc. (The certificate is really just a container for a key pair at that point; we're bypassing the chain of trust stuff, and don't even care about the identity that the certificate was issued to.) With that in mind, it's time to deprecate the -SkipCertificateVerification switch and just make that the default behavior. Reply to this email directly or view it on GitHub: |
|
Yep, anyone can do that (though the functionality wouldn't be part of the ProtectedData module itself). Right now, when you don't set the -SkipCertificateVerification switch, you get three checks performed inside the module:
If your workflow requires these checks before you use the certificate, you could do that before calling the Protect-Data / Unprotect-Data / etc commands. |
|
Implemented in 4.1.0. |
By specifying a certificate thumbprint (or object, etc), we're already saying we trust the key pair associated with that hash, regardless of whether it's self-signed or expired, etc. (The certificate is really just a container for a key pair at that point; we're bypassing the chain of trust stuff, and don't even care about the identity that the certificate was issued to.)
With that in mind, it's time to deprecate the -SkipCertificateVerification switch and just make that the default behavior.
The text was updated successfully, but these errors were encountered: