Certificate geekery
Hal Murray
halmurray at sonic.net
Sun Dec 3 09:22:35 UTC 2023
I'm working on devel-TODO-NTS. (mostly deleting things)
Currently, if a bad guy hacks or arm-twists a certificate authority, they can
sign a certificate that the bad guy can use for a MITM attack.
We can make that a lot harder if we lookup the current root certificate that a
server is currently using, find that certificate in a system's root cert
collection, and add a ca xxx to the server line. That doesn't take any
changes to ntpd.
It needs some script hacking. I think the openssl command can handle much of
the details.
Is that called pinning? If not, is there a term for it?
Wiki has a page for a related proposal:
https://en.wikipedia.org/wiki/Certificate_pinning
Is this interesting?
Anybody interested in writing that script?
------
There is another tangle with verifying certificates. OCSP
Is that interesting?
https://en.wikipedia.org/wiki/OCSP
--
These are my opinions. I hate spam.
More information about the devel
mailing list