2011/8/1 Howard Chu<hyc@symas.com>:
David Hawes wrote:
[...]
Think about why you would configure such a setup, and what it actually
means. When you have a certificate of your own, signed by a particular CA,
that obviously means that you must trust that CA. If you're going to accept
a cert from another party that is signed by a different CA that obviously
means that you must also trust the other CA. There is absolutely nothing
gained from isolating these two CAs, on either side of the session.
You've never been into such a situation. That doesn't mean such an
isolation is irrelevant.