Cert pinning

Richard Laager rlaager at wiktel.com
Sun Mar 31 23:47:35 UTC 2019


On 3/31/19 5:07 AM, Achim Gratz via devel wrote:
> So yes, injecting the trust anchor(s) to use for a specific set of
> NTS-KE would be the easier option.

How about this:

1) Add a root=file (or dir?) option. This overrides the allowed roots
for that association. Only the root(s) in that file are allowed for that
association, regardless of what is normally on the system. So this can
be used to restrict (sort of like pinning, but only for roots), but
assuming we implement pinning, it would be mainly intended to allow a
particular root that is not trusted generally.

This option would allow Gary's scenario to validate, without needing to
trust that root system-wide. He would presumably then eliminate "noval"
from that configuration line.

2) If we want more, implement some form of pinning. As the intention of
pinning is to further restrict the trust anchors, this would be in
addition to normal validation, not instead of it. The pinning options
would be mutually exclusive of "noval" to keep the implementation
straightforward and to help prevent people from shooting themselves in
the foot.

-- 
Richard


More information about the devel mailing list