Cert pinning

Gary E. Miller gem at rellim.com
Thu Mar 28 22:35:26 UTC 2019


Yo Richard!

On Thu, 28 Mar 2019 17:00:51 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 3/28/19 3:01 PM, Gary E. Miller via devel wrote:
> > server nts3-e.ostfalia.de:443 nts noval pin
> > 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18  
> 
> I think the "pin" option should take (as an argument or in its name),
> the hash algorithm being used (presumably SHA-256 here, but it could
> change in the future). For example, HPKP uses pin-sha256 as the name.

If we are going to design the option, then it needs to algorithm, and
what it is pinned to.  You can pin to the provided cert, the cert that
signed the cert, the full chain of the cert, the root that signed the
cert, or just the public key of the cert.

Some pinning clients also specify a max age for the pin.

This goes into detail on many of the options:

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

Here is sample C code to have OpenSSL do pinning:

https://www.owasp.org/images/f/f7/Pubkey-pin-openssl.zip



RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/9d7bb75a/attachment.bin>


More information about the devel mailing list