Aren't you talking here about the client's validation of the server's credentials? That's useful information, but my question was about server validation of client certificates ...
Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Monday, October 08, 2012 11:13 AM To: OpenSSL Users List Subject: Re: Best practice for client cert name checking On Mon, Oct 8, 2012 at 9:25 AM, Mark H. Wood <mw...@iupui.edu> wrote: > On Mon, Oct 08, 2012 at 07:42:04AM +0000, Marco Molteni (mmolteni) wrote: >> try searching for "certificate pinning". If you are familiar with >> ssh, it is the same concept of the StrictHostKeyChecking option >> (although obviously SSH and TLS are completely distinct protocols and >> by default SSH doesn't use X.509 certs). >> >> The idea is: with a standard TLS connection, acting as TLS client, >> you connect to an host for the first time and you receive its >> certificate. The standard TLS verifications are successful (meaning: >> the certificate really belongs to the host and it has been issued by >> a CA you trust). When the connection is closed, a normal TLS client will >> forget the certificate. >> >> On the other hand, certificate pinning remembers the certificate. >> Pinning means storing locally such certificate and associate it to >> the hostname you connected to. If the next time you connect the >> certificate has changed, a system supporting certificate pinning will warn >> you. > > I believe this is what the Certificate Patrol plugin for Firefox is > doing, if you want to see it in action. This plug-in pins certificates (not public keys), and creates a lot of spurious noise on some sites (for example, Google and Gmail). It desensitizes the user. I've been running experiments on Google and Gmail for the last couple of years. If you are pinning for those sites, you definitely want to pin public keys. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
