Cert pinning
Richard Laager
rlaager at wiktel.com
Thu Mar 28 23:36:54 UTC 2019
On 3/28/19 6:26 PM, Hal Murray via devel wrote:
>
> Gary said:
>>> There is a downside. Every time it changes, you have to take
>>> a leap of faith when you re-pin it, rather than getting normal
>>> CA validation.
>> You miss the point, this is addition to normal CA validation, not an
>> alternative to it. Just like HPKP.
>
> I'm missing something important. Why would I need additional validation?
> Isn't normal certificate validation good enough?
In normal validation, ANY root CA can sign a certificate for my domain
and it will be trusted by clients.
I might want to pin the NTS association for ntp1.wiktel.com to require
that its certificate be issued by Let's Encrypt. Or, I might want to pin
it to my internal CA.
--
Richard
More information about the devel
mailing list