On Tue, Sep 13, 2011 at 11:41 AM, Yoav Nir <y...@checkpoint.com> wrote:
> Six months ago we would not have thought that Comodo > or DigiNotar were easy to hack. In the latter case, the > customers of DigiNotar were left out in the cold. Without > certificate pinning, they just need to spend money on a > new certificate and their site is working again. With it, > they are in trouble. This is why we strongly advocate that you have a backup pin, so that you can pivot to it in the event of any of several disasters that we outline in the document. We are even thinking about requiring backup pins, because they are so important. (See the Risks of Pinning section, and the Ideas section.) Assuming that the disaster is not one of private key compromise (either end entity or signer), you can also recover by having your public key re-signed by a new CA. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec