| Certificate condition | What themis does now (v0.4.19) | What we want themis to do. |
|---|---|---|
| no peer certificates. | trust of 0 |
trust of 0 |
| peer certificate in a chain we DO NOT trust | trust of 1000 |
trust of 0 |
| peer certificate in a chain we DO trust | trust of 1000 |
trust of 1000 |
The existing check for CommonName and DNSSuffixes is a red herring. As long as we properly check the certificate chain, the right trust should be given.