[jdev] https://github.com/stpeter/manifesto and additional ideas
dave at cridland.net
Thu Nov 14 17:07:51 UTC 2013
On Thu, Nov 14, 2013 at 4:34 PM, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> Pinning does not require a CA at all (private or public). Why use a
> feature (DANE) that requires a CA if it is possible to have the same level
> of security with Pinning; which requires no CA, works well with self-signed
> certificates, requires no infrastructure upgrade and which puts the direct
> trust into the hands of the server-admins?
I may regret asking, but how do you see this working with federation?
So each server presumably makes an unattended leap-of-faith in order to get
your pinning info, and then every server has to store the pinning info for
every other server they ever contact?
If the certificate was *also* signed by a CA, you'd at least limit the
initial LoF, and protect yourself against subsequent CA compromise - which
is basically the attack that Perrin et al consider. I hold that DANE
provides security against *initial* CA compromise as well, and obviates the
need to pinning as such - it certainly requires an infrastructure upgrade,
but provides a security upgrade as well.
As such, I suspect your quote above has several flaws:
a) DANE does not require a CA.
b) DANE does work with self-signed certificates.
c) DANE provides a higher level of security compared to mere pinning.
d) DANE also puts direct trust into the hands of the service admin.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev