On 3/28/19 6:26 PM, Hal Murray via devel wrote: > > Gary said: >>> There is a downside. Every time it changes, you have to take >>> a leap of faith when you re-pin it, rather than getting normal >>> CA validation. >> You miss the point, this is addition to normal CA validation, not an >> alternative to it. Just like HPKP. > > I'm missing something important. Why would I need additional validation? > Isn't normal certificate validation good enough?
In normal validation, ANY root CA can sign a certificate for my domain and it will be trusted by clients. I might want to pin the NTS association for ntp1.wiktel.com to require that its certificate be issued by Let's Encrypt. Or, I might want to pin it to my internal CA. -- Richard _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel