Different meanings of "Pinning"? [was: Re: Sharing Trust Policy between Crypto Libraries]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jan 3 14:48:29 PST 2013
On 12/20/2012 12:38 PM, Stef Walter wrote:
This document talks about certificate pinning, using the definitions
from RFC 6125, like:
which in turn references:
But recent work on public key pinning has a subtly different specification:
In particular, the former specification treats a pin as a list of
approved matches. That is, a certificate is allowed for a use it
normally wouldn't have been.
The more recent work treats a pin as finite and exhaustive "allowlist"
-- that is, if a pin exists for a given peer, and an otherwise-valid
certificate appears that does *not* match a known pin, it will be rejected.
Both sorts of behavior are conceptually useful in some circumstance, and
it's a shame that they share the main word "pinning".
The stapled-extensions draft appears to be able to accomodate the former
style of "pinning", but i don't think it's capable of storing the info
required by the more recent work on key pinning, even though that work
would benefit from a platform-wide data storage as well.
If we're willing to accept this lack, we should at least make an
explicit reference to the websec-key-pinning work to indicate that it is
not supported (though i'd rather find a way to support it).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1027 bytes
Desc: OpenPGP digital signature
More information about the p11-glue