Different meanings of "Pinning"

Simo Sorce simo at redhat.com
Fri Jan 4 11:37:04 PST 2013

On Fri, 2013-01-04 at 11:17 -0800, Ryan Sleevi wrote:
> Sorry to break threading, but I only just joined the list, and can't
> find a good way to continue the existing thread.
> While the current WebSec draft focuses on HTTP, I don't think it's
> fair to say that the concept of restrictive-pins is an HTTP-only
> approach. Certainly, alternative proposals such as TACK [1] explore
> key continunity algorithms at the TLS layer, and there has been active
> discussion at both IETF 84 and IETF 85 regarding restrictive-pins for
> other TLS-using protocols, such as IMAP.
> I think there is significant value in being able to share these pins
> on a system-level basis. Even for something as restricted as HTTP, a
> user may have multiple possible HTTP clients on their machine: a
> libcurl using updater, wget straight from the shell, Firefox,
> Chromium, etc. Being able to collaborate, between applications, on
> those key lifecycles strikes me as particularly valuable, especially
> when considering the 'wget' fire-and-forget nature.

Yeah the multiple-clients angle makes a lot of sense indeed.
Seem a bit complex to implement/define at first, maybe better deferred
to a second round.


Simo Sorce * Red Hat, Inc * New York

More information about the p11-glue mailing list