Cert pinning
Gary E. Miller
gem at rellim.com
Thu Mar 28 23:38:44 UTC 2019
Yo Hal!
On Thu, 28 Mar 2019 16:26:55 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:
> Gary said:
> >> There is a downside. Every time it changes, you have to take
> >> a leap of faith when you re-pin it, rather than getting normal
> >> CA validation.
> > You miss the point, this is addition to normal CA validation, not an
> > alternative to it. Just like HPKP.
>
> I'm missing something important. Why would I need additional
> validation? Isn't normal certificate validation good enough?
There have been many cases, some in the last year, where black
hats have tricked CA's into issuing them certs for major domains.
Then the bogus certs used for fraud. That is why HPKP and DANE
were invented.
Please note, I am not suggesting this will be a problem for ntpd like it
has become a problem for XMPP, smtp, https, etc. Yet.
One cool thing about HPKP and DANE is that zero user configuration
is required to get the extra security.
Potential extra security is just an added feature that you get for free
once you add certificate pinning to handle the ostfalia case.
Check the pin, but do not check the chain:
server ostfalie.de noval pin XXXXXXX
Check the pin, and check the chain:
server rellim.com pin YYYYYY
Now if someone can trick a CA into giving them a valid rellim.com cert
the connection will still be secure.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/9c95a9ef/attachment.bin>
More information about the devel
mailing list