Adam Barth wrote:
The only requirement
is that future certificate chains MUST include that certificate. That
effectively gives you EV pinning,
I might not have been very clear by what I meant with EV pinning.
It was more EV *status* pinning, that is do not in the future allow the
connexion to be with a DV cert instead of an EV cert.
This in my opinion is more useful than the cert pinning you describe. I
think it's more useful to focus on an end goal, ensure this property
stays true, rather a specific technical characteristic, pin on this cert.
In this view, in addition to the EV status, it could be useful to pin
the certificate chain to some geographic localization. "I'm an American
company and I'll use American based CA and RA for my certificate. If the
next certificate you get has been issued from Tunisia (Ben Ali's
government used to have a governmental CA, included in Microsoft trust
store) or China, it'll be very suspicious". This transposes to letting
non-american companies decide they'll certainly never want to use a
certificate from America (one could think of the pirate bay or wikileaks).
The conspiracy http://kuix.de/conspiracy/ extension for Firefox will
already show this info.
In addition to thinking about orderly transitions to new certificates
(as you mention), there's also the case of disorderly transitions.
Yes, this shows that pinning to a specific certificate is an engineer's
idea, but not something that actually works.
Lets' be clear : CAs would love a solution where the clients are chained
to continue using their product and never change to something else,
"strictly for security reasons".
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
