[cryptography] Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-01)

Kevin W. Wall kevin.w.wall at gmail.com
Thu Nov 1 18:07:34 EDT 2012


On Nov 1, 2012 5:23 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
>
> Hi All,
>
> I was reading through Public Key Pinning Extension for HTTP
> (draft-ietf-websec-key-pinning-01,
> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-01).
>
> Section 3.1. Backup Pins, specifies that a backup should be available
> in case something goes awry with the current pinset. The backup pinset
> is a hash of undisclosed certificates or keys. Appendix A. Fingerprint
> Generation, then offers a program to hash a PEM encoded certificate.
<snip>
> Would it be
> better to retain a hash of the public key instead since the public key
> rarely changes?

Or perhaps public key plus SubjectDN since that also rarely
changes??? At least would still allow us
to associate the two.

-kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121101/6e0f420f/attachment.html>


More information about the cryptography mailing list