[cryptography] "best practices" for hostname validation when using JSSE

Jeffrey Goldberg Jeffrey at goldmark.org
Fri Aug 9 16:40:11 EDT 2013

On Aug 9, 2013, at 1:49 PM, Tim Dierks <tim at dierks.org> wrote:

> the easiest thing to do is make sure the cert chains up to a root you trust (ideally not system-installed roots, because nobody knows how deep the sewage flows there

I recently had the opportunity to participate (as a relatively silent observer) in a conversion among people who did have an inkling of how deep the sewer flows there. I had known things were bad, but I had no idea of how bad.

Let’s just say I whole-heartedly endorse the idea of pinning your own roots in applications.



More information about the cryptography mailing list