That is a good point. But in the Diginotar case the CA root was revoked so that could be dealt with by saying that a client should unpin a cert when it has been revoked (or part of the chain has been revoked).
Another tool that we could use here is to push out an 'unpin' statement in whatever mechanism we develop for data driven revocation. On Tue, Sep 13, 2011 at 3:37 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net>wrote: > On 09/13/2011 02:41 PM, Yoav Nir wrote: > > > the customers of DigiNotar were left > > out in the cold. Without certificate pinning, they just need to spend > > money on a new certificate and their site is working again. With it, > > they are in trouble. > > With *CA* pinning, DigiNotar customers are definitely in serious trouble > (which is why i asked earlier about the advantage of pinning any thing > but the EE cert). But if they had pinned their EE certs, they would > have been able to resist even if Diginotar had issued certs with their > same name. > > So certificate pinning isn't bad in this case -- CA Certificate pinning > is bad. > > --dkg > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
