On Aug 1, 2013, at 6:43 PM, Phillip Hallam-Baker <hal...@gmail.com<mailto:hal...@gmail.com>> wrote:
On Thu, Aug 1, 2013 at 12:30 PM, Chris Palmer <pal...@google.com<mailto:pal...@google.com>> wrote: On Mon, Jul 29, 2013 at 9:13 AM, Phillip Hallam-Baker <hal...@gmail.com<mailto:hal...@gmail.com>> wrote: > If we have a diginotar type situation again (FSM forefend), we want the pins > to a root to be broken at the same time the root is unloaded, yes? If the root of a site's cert chain --- really, any signer --- is blacklisted or even just removed from the trust anchor store, pins and Pin Validation are irrelevant since the chain won't validate. Pin Validation happens only *after* all other certificate chain checks are performed. My point is that the people who were customers of Diginotar had to get new certs quickly. The Dutch government has complained in several forums about the way in which the Diginotar root was revoked. They had an entire national port unable to function as a result. If the root is revoked, the pins have to become inoperable and allow a user to get a cert from any vendor. To me this seems too hard for the browser. This is especially true if the pins were for a sub-CA rather than the root CA. Continuity of business is an issue here. Yes, it is. That is what the backup pin feature is for, and why it is mandatory in the draft. Yoav
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec