Matt McCutchen wrote: > > On Sat, 2010-09-25 at 02:22 +0200, Martin Rex wrote: > > Section 5.1.4 here: > > > > http://www.w3.org/TR/wsc-ui/#selfsignedcerts > > > > is much closer what I this would be useful and sensible. > > > > "Pinning" of certs is useful for both, certs that validate fine > > and certs that do not validate for the two reasons "not trusted" > > and "server-id-mismatch". > > Once again > (http://www.ietf.org/mail-archive/web/certid/current/msg00338.html), the > purpose of pinning is to make it possible to connect to servers with > unverifiable certificates, not to replace the public-CA trust model, > which is much more difficult to do properly. The definition of > "strongly TLS-protected" (http://www.w3.org/TR/wsc-ui/#def-strong-tls) > includes validated certificates regardless of whether there is a pinned > certificate.
"Pinning" Certs is extremely sensible, especially for TOR exit nodes. Getting a server cert issued from any one of the ~100 pre-trusted CAs without being rightful owner of a domain is an effort to which you can likely attach an average price tag. Find out the procedures of the CA and determine which is the most cost effective mix of deceiving about real owner ship and bribe that will achieve the objective. Governmental agencies might have additional means of persuaions to get server certs issued for domains that they do not own. Think about wikileaks. Therefore having server-id-check unconditionally and silently override "pinned" server certs with server-certs that chain to one of the ~100 trust anchors preconfigured by the software supplier is a significant security problem. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
