Heyho, What do i have to do to use it?
On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote: > > Hey Jeffrey, > > Yep, we pin to the public key that issued the certificate. > > Thanks, > Geremy Condra > > > On Sun, Nov 18, 2012 at 10:36 AM, Jeffrey Walton > <[email protected]<javascript:> > > wrote: > >> Hi All/Nick. >> >> According to About Jelly Bean >> (http://developer.android.com/about/versions/jelly-bean.html), >> libcore SSL supports pinning: >> >> "Certificate Pinning — The libcore SSL implementation now supports >> certificate pinning. Pinned domains will receive a certificate >> validation failure if the certificate does not chain to a set of >> expected certificates. This protects against possible compromise of >> Certificate Authorities." >> >> I know it tells me certificate pinning, but is that public key >> pinning? I've been running tests on encrypted.google.com and gmail.com >> for the last 18 months or so. Google rotates its certificates >> regularly, but the underlying public key is static. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]<javascript:> >> . >> To unsubscribe from this group, send email to >> [email protected] <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/PyWUP-wazCIJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
