Cert pinning

Richard Laager rlaager at wiktel.com
Thu Mar 28 23:36:54 UTC 2019


On 3/28/19 6:26 PM, Hal Murray via devel wrote:
> 
> Gary said:
>>> There is a downside. Every time it changes, you have to take
>>> a leap of faith when you re-pin it, rather than getting normal
>>> CA validation.
>> You miss the point, this is addition to normal CA validation, not an
>> alternative to it.  Just like HPKP. 
> 
> I'm missing something important.  Why would I need additional validation?  
> Isn't normal certificate validation good enough?

In normal validation, ANY root CA can sign a certificate for my domain
and it will be trusted by clients.

I might want to pin the NTS association for ntp1.wiktel.com to require
that its certificate be issued by Let's Encrypt. Or, I might want to pin
it to my internal CA.

-- 
Richard


More information about the devel mailing list