[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

Thierry Moreau thierry.moreau at connotech.com
Sun Sep 11 10:25:29 EDT 2011

Ian G wrote:
> Hi Adam,
> On 10/09/2011, at 20:16, Adam Back <adam at cypherspace.org> wrote:
>> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
>> see anyone define it on this list,
> Adam described it in this list. The specific mechanism is less important than what it achieves: the browser knows that the website is constrained to use the certs of only one CA.
> The rest is implementation detail.

E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of 
Named Entities (dane))

and http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ (Using 
Secure DNS to Associate Certificates with Domain Names For TLS)


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list