Cert pinning

[Achim Gratz]

Matthew Selsky via devel writes:
> Do you have an example of software the implements pinning as BOTH a
> central trust store + a specific pin?

Pinning doesn't provide a trust store, it restricts it.

> postfix allows the user to specific a trust-anchor file per destination. So a typical postfix tls policy table (when you need specific TLS policy rules) might have:
>
> foo.com secure tafile=/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem
> bar.com secure
>
> So foo.com is required to match a specific commercial CA and bar.com is allowed to match any CA in the system trust store.

Yes, except that larger servers would probably want to have multiple CA
listed.  But in general I think giving NTS it's own trust anchors
(either generally or per host) is the right way forward.  Also scope
restrictions (PKIX) should be evaluated.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Waldorf MIDI Implementation & additional documentation:
http://Synth.Stromeko.net/Downloads.html#WaldorfDocs