Cert pinning

[Hal Murray]

[Argh.  Sorry for the duplicate.  I forgot to cc the list.]

> Sad.  Seems we've been around this May Pole way too many times already... You
> have nothing new to say below, and my answers are also not new. 

Richard's summary matches my understanding.


> Agreed, sort of.  This assumes fixes that do not exist.  So "assuming a
> canopener".  It also assumes that less than perfect security is no security.

The problem with pseudo security is that people might think it really is 
secure.

If it's not (real) secure, I think we should make a lot of noise about using 
it.

> Part of the rationale for NTS is that since the cookies change every request,
> then the user can not be tracked. "noval" does not remove that feature, or
> some other goodness. 

Why are you bringing up tracking?  Is it related to security?  To pinning?


> Agreed, sort of.  The "ca", which is an "assumed can opener", does not solve
> many very similar cases. 

My plan is to implement the per-server "ca" as soon as I can.  The API I want 
isn't available, but I think I see a reasonable way to implement it.

That will solve the problem of self-certified certificates.  How many of your 
"many very similar" cases are interesting?



> Personally, I'd rather have DANE type pinning before "ca".  And once "ca" is
> implemented would like to do both. 

Are you trying to use DANE as a substitute for normal certificate checking or 
as a supplement?

I don't fully understand DANE yet.  A good example might help.  Is there a 
HOWTO type web page telling me how to set things up?  ...

Is it widely deployed?  Does my browser use it?


-- 
These are my opinions.  I hate spam.