Hey Jeffrey, Yep, we pin to the public key that issued the certificate.
Thanks, Geremy Condra On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton <[email protected]> wrote: > Hi All/Nick. > > According to About Jelly Bean > (http://developer.android.com/about/versions/jelly-bean.html), > libcore SSL supports pinning: > > "Certificate Pinning — The libcore SSL implementation now supports > certificate pinning. Pinned domains will receive a certificate > validation failure if the certificate does not chain to a set of > expected certificates. This protects against possible compromise of > Certificate Authorities." > > I know it tells me certificate pinning, but is that public key > pinning? I've been running tests on encrypted.google.com and gmail.com > for the last 18 months or so. Google rotates its certificates > regularly, but the underlying public key is static. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
