Cert pinning

Gary E. Miller gem at rellim.com
Thu Mar 28 23:24:08 UTC 2019


Yo Richard!

On Thu, 28 Mar 2019 18:14:16 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 3/28/19 6:07 PM, Gary E. Miller via devel wrote:
> > Yo Richard!
> > 
> > On Thu, 28 Mar 2019 17:55:36 -0500
> > Richard Laager via devel <devel at ntpsec.org> wrote:
> >   
> >> On 3/28/19 5:47 PM, Gary E. Miller via devel wrote:  
> >>> Don't care.  I like that the cert is pinned.    
> >>
> >> There is a downside. Every time it changes, you have to take a
> >> leap of faith when you re-pin it, rather than getting normal CA
> >> validation.  
> > 
> > You miss the point, this is addition to normal CA validation, not
> > an alternative to it.  Just like HPKP.  
> 
> No, it's not. Pidgin only pops up that dialog if it can't validate the
> certificate. So validation has failed, and you're taking a leap of
> faith to accept the new certificate each time it changes.

So, maybe, the message is imprecise:  The cert changed, please approve.

But, once again, I don't care exactly what Pidgin is doing.  Just using
it as one of many comman examples of how key pinning is done all around
us all the time.  There are the good, the bad, and the ugly.

We just need to decide what is correct for NTPsec to do.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/c582e3ee/attachment.bin>


More information about the devel mailing list