On Tue, Dec 13, 2011 at 7:56 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote: > I don't like a solution for pinning that depends on the CA delivering the > 'right' sort of cert. I would prefer to add in a second hash over the > parameter values or specify them explicitly in the pin or to have the hash > be over what the values would be if completely specified in the Key Info.
In the case of ECDSA, it'll be very rare for the parameters to be omitted since they can be compactly represented by a named curve. In fact, I've not seen code in SSL libraries that'll go hunting for EC parameters in a CA key - I strongly suspect that support for this is minimal at best. Therefore I'm happy to simply exclude the possibility in the spec and save the complexity. Cheers AGL _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
