Certificate pinning

[Achim Gratz]

Hal Murray via devel writes:
>> That doesn't do pinning, it reduces the source of trust anchors to just a
>> single one. 
>
> Thanks.  Would you please give me a lesson (or pointer to one) on this area.

https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning

> Does pinning work with a typical cert-chain that I get from a server?  If so, 
> where to I get the certificate that I'm looking for?

Most certificate chains you will encounter for public systems have at
least one intermediate.  You probably should pin both the intermediate
and the root certificate, but continue to validate both.  If you put the
trust anchor at the intermediate, any certificate validation stops there
(and if the chain has alternates they won't be checked either of
course).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra