On Thu, Nov 17, 2016 at 04:55:37PM -0800, Peter Bowen wrote: > On Thu, Nov 17, 2016 at 4:38 PM, Matt Palmer <[email protected]> wrote: > >> (Note: Key pinning isn't the only advantage to being able to freely operate > >> your own intermediate CA.) > > > > I don't see how freely operating your own intermediate CA is a pre-requisite > > for key pinning, either. > > If you don't have your own CA you have to choose between pinning to a > CA who might collapse or change their business model such that you > can't use them or pinning end-entity keys which is highly limiting.
Yes, pinning end-entity keys is a great way to very effectively blow your foot off at the neck. I don't see how pinning an open intermediate is any worse than pinning a TCSC, though. An organisation which pinned a TCSC issued by Wosign or Startcom, to use the villains du jour, is in exactly the same position as if they'd pinned one of their open intermediates. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
