Different meanings of "Pinning"? [was: Re: Sharing Trust Policy between Crypto Libraries]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 3 14:48:29 PST 2013

On 12/20/2012 12:38 PM, Stef Walter wrote:
> http://p11-glue.freedesktop.org/doc/sharing-trust-policy/

This document talks about certificate pinning, using the definitions
from RFC 6125, like:


which in turn references:


But recent work on public key pinning has a subtly different specification:


In particular, the former specification treats a pin as a list of
approved matches.  That is, a certificate is allowed for a use it
normally wouldn't have been.

The more recent work treats a pin as finite and exhaustive "allowlist"
-- that is, if a pin exists for a given peer, and an otherwise-valid
certificate appears that does *not* match a known pin, it will be rejected.

Both sorts of behavior are conceptually useful in some circumstance, and
it's a shame that they share the main word "pinning".

The stapled-extensions draft appears to be able to accomodate the former
style of "pinning", but i don't think it's capable of storing the info
required by the more recent work on key pinning, even though that work
would benefit from a platform-wide data storage as well.

If we're willing to accept this lack, we should at least make an
explicit reference to the websec-key-pinning work to indicate that it is
not supported (though i'd rather find a way to support it).

Any thoughts?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20130103/75ecfce9/attachment.pgp>

More information about the p11-glue mailing list