On 09/13/2011 02:41 PM, Yoav Nir wrote: > the customers of DigiNotar were left > out in the cold. Without certificate pinning, they just need to spend > money on a new certificate and their site is working again. With it, > they are in trouble.
With *CA* pinning, DigiNotar customers are definitely in serious trouble
(which is why i asked earlier about the advantage of pinning any thing
but the EE cert). But if they had pinned their EE certs, they would
have been able to resist even if Diginotar had issued certs with their
same name.
So certificate pinning isn't bad in this case -- CA Certificate pinning
is bad.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
