From: Peter Saint-Andre [mailto:[email protected]] > > What concerns me > > is that a) the implications of the override are not articulated; and > > b) this "pinning" or override function applies to certificates > > regardless of their RFC5280-determined validity; > > That sounds too broad. I don't think we want to let a "pinned" > certificate off the hook regarding all aspects of PKIX-validity. All > we're saying is that the user has explicitly approved this certificate > as acceptable for this application server, despite an identity mismatch.
I might be convinced that you are limiting scope to "server identity" and so you want to enumerate the faults that "pinning" can be used for. If you do so, you run the risk of becoming irrelevant. I can pin a cert in my browser for a number of reasons. Why is an identity mismatch any more forgivable than an unknown CA? > > A cached or "pinned" certificate need not be valid according to > > [PKIX]. A server that presents a pinned certificate is found to > > match based solely on its ability to prove that it possesses the > > private key that corresponds to the public key in the certificate. > > Again, I think that's probably too lenient. Yes, very. But the alternative (enumeration) seems both hard and counterproductive. > Peter Saint-Andre _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
