-
Notifications
You must be signed in to change notification settings - Fork 730
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
external data TLS should not depend on caBundle if we can use system verifier #2452
Comments
@enj any docs for system verifier? |
@maxsmythe the x509.Certificate.Verify code is the best way to understand what will happen on different configs based on the OS, the docs are open ended because of the large number of branches: // If opts.Roots is nil, the platform verifier might be used, and
// verification details might differ from what is described below. If system
// roots are unavailable the returned error will be of type SystemRootsError. Generally speaking, leaving |
Oh gotcha, I thought "system verifier" was some K8s-specific thing for verifying workloads (similar to Istio). Sounds like you're saying "use default trusted system certs" I suppose I don't have anything against using OS-trusted-certs in principle, since root CAs would need to be compromised for it to be risky. Is there any risk of users finding this behavior unexpected? What behavior does the VWH system have for this? |
Using system roots by default is what I have traditionally seen, VWHs have that behavior as well. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
still interesting |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Describe the solution you'd like
from @enj:
This is a scenario where a real-signed certs can be used (for example, with Let's Encrypt) and the system verifier can validate
The text was updated successfully, but these errors were encountered: