BladeFireLight
commented
9 years ago That puts the validation upstream to what ever got the thumbprint. That's fine if its manual. But if its acquired programmatically can you still validate it if need be?
From: Dave Wyattmailto:notifications@github.com Sent: 3/6/2015 11:09 AM To: dlwyatt/ProtectedDatamailto:ProtectedData@noreply.github.com Subject: [ProtectedData] Get rid of the Certificate Verification functionality (#11)
By specifying a certificate thumbprint (or object, etc), we're already saying we trust the key pair associated with that hash, regardless of whether it's self-signed or expired, etc. (The certificate is really just a container for a key pair at that point; we're bypassing the chain of trust stuff, and don't even care about the identity that the certificate was issued to.)
With that in mind, it's time to deprecate the -SkipCertificateVerification switch and just make that the default behavior.
Reply to this email directly or view it on GitHub: https://github.com/dlwyatt/ProtectedData/issues/11
dlwyatt
By specifying a certificate thumbprint (or object, etc), we're already saying we trust the key pair associated with that hash, regardless of whether it's self-signed or expired, etc. (The certificate is really just a container for a key pair at that point; we're bypassing the chain of trust stuff, and don't even care about the identity that the certificate was issued to.)
With that in mind, it's time to deprecate the -SkipCertificateVerification switch and just make that the default behavior.