[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))
thierry.moreau at connotech.com
Sun Sep 11 10:25:29 EDT 2011
Ian G wrote:
> Hi Adam,
> On 10/09/2011, at 20:16, Adam Back <adam at cypherspace.org> wrote:
>> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
>> see anyone define it on this list,
> Adam described it in this list. The specific mechanism is less important than what it achieves: the browser knows that the website is constrained to use the certs of only one CA.
> The rest is implementation detail.
E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of
Named Entities (dane))
and http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ (Using
Secure DNS to Associate Certificates with Domain Names For TLS)
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography