[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

Thierry Moreau thierry.moreau at connotech.com
Sun Sep 11 10:25:29 EDT 2011


Ian G wrote:
> Hi Adam,
> 
> On 10/09/2011, at 20:16, Adam Back <adam at cypherspace.org> wrote:
> 
>> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
>> see anyone define it on this list,
> 
> Adam described it in this list. The specific mechanism is less important than what it achieves: the browser knows that the website is constrained to use the certs of only one CA.
> 
> The rest is implementation detail.

E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of 
Named Entities (dane))

and http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ (Using 
Secure DNS to Associate Certificates with Domain Names For TLS)

Regards,

-- 
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691



More information about the cryptography mailing list