[jdev] https://github.com/stpeter/manifesto and additional ideas
dave at cridland.net
Fri Nov 15 11:52:59 UTC 2013
On Fri, Nov 15, 2013 at 10:26 AM, Winfried Tilanus <winfried at tilanus.com>wrote:
> Now take a look at the manifesto. It states:
> "provide user or administrative interfaces showing:
> o a warning about any changes to a server's certificate"
> that last point IS certificate pinning.
That's not quite what Ralf is asking for. He's asking for (one of the)
pinning mechanisms which allow a certificate transition to itself be
authenticated. They're actually mechanisms to allow pinning to work, rather
than pinning per-se.
Mostly, they operate either by an additional level of indirection (ie,
essentially a mini-CA) or by advance notice signed by the original
certificate - there's a number of options, but they all boil down to a
method to remove that "ask the user" phase when the certificate changes, by
allowing the client to make the assertion that the new certificate has the
same identity as the old one.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev