Checking signature without checking CA is as bad as not checking the signature

[Jakuje]

We discussed the follow-up of CVE-2025-24032 and its fixes and they way how pam_pkcs11 is implemented, it checking signature just verifies the user has some key with certificate that can do a signature.

This is insufficient when authenticating a user to a system as it does not verify the certificate against any CA that is known to the system so I believe the default should really be ca, signature and nothing less.

Therefore my suggestion would be to change the default to this and change the ca option to no_ca so it could be turned off only explicitly, same as the signature check. Any thoughts?

Sorry for joining late to the discussion.

[wolneykien]

I think it's a good idea.