On 07/25/2017 02:56 AM, Alexey Melnikov wrote:
Use of pinned certs isn't forbidden by the draft, but pinned certs don't
meet minimum confidentiality requirements.
I think it might be possible to adequately address the security concerns
associated with the usual implementation of pinned certificates, but
working though the details seems beyond the scope of this document.
Ok, how about inserting "typically" before "lacks a mechanism to revoke
...". This way you are making an observation about state of UIs without
sounding like it is a fact of nature.
I'm thinking more along the lines of "there is currently no protocol
defined for revocation of a pinned certificate".
TOFU isn't entirely good or evil, though it does provide a vulnerability
that will certainly be exploited. (We're creating a similar
vulnerability by encouraging use of unsigned SRV records to dictate
account configuration parameters, which seems hard to fix at the moment
given how hard it is to deploy DNSSEC. Maybe DNS-over-TLS will emerge
as a way to double-check the validity of those SRV records.)
Keith
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
