Em 08-12-2015 23:23, Stuart Henderson escreveu: > I wasn't aware that > it lets you disregard the CAs though
Once the client has the two certs pinned (the primary and the backup), if a malicious CA try to impersonate the server using a forged (although perfectly valid) certificate, the client shouldn't connect to it, because it already has the fingerprint pinned. It is the same rationale as ssh host keys, trust on first use. But, by the way this thread evolved, we're beating a dead horse here now. Cheers, Giancarlo Razzolini
