Cert pinning
Matthew Selsky
Matthew.Selsky at twosigma.com
Fri Mar 29 03:22:58 UTC 2019
On Thu, Mar 28, 2019 at 04:38:44PM -0700, Gary E. Miller via devel wrote:
> Potential extra security is just an added feature that you get for free
> once you add certificate pinning to handle the ostfalia case.
>
> Check the pin, but do not check the chain:
>
> server ostfalie.de noval pin XXXXXXX
>
> Check the pin, and check the chain:
>
> server rellim.com pin YYYYYY
>
> Now if someone can trick a CA into giving them a valid rellim.com cert
> the connection will still be secure.
Do you have an example of software the implements pinning as BOTH a central trust store + a specific pin?
postfix allows the user to specific a trust-anchor file per destination. So a typical postfix tls policy table (when you need specific TLS policy rules) might have:
foo.com secure tafile=/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem
bar.com secure
So foo.com is required to match a specific commercial CA and bar.com is allowed to match any CA in the system trust store.
See http://www.postfix.org/postconf.5.html#smtp_tls_trust_anchor_file
Thanks,
-Matt
More information about the devel
mailing list