On Thu, Feb 9, 2012 at 5:26 PM, Chris Palmer <[email protected]> wrote: > On 8 févr. 2012, at 16:38, Nico Williams wrote: > I think the main thing is that pinning (whether of keys or of anything else) > and OCSP stapling are quick hacks until we get a real certificate > goodness/liveness/authorizedness publication system going (such as > Certificate Transparency, Sovereign Keys, Convergence, or whatever).
If pinning is a hack then so is Convergence. After all, Convergence is a distributed form of pinning. I don't think it's a good idea to dismiss pinning out of hand. Leap of faith learning of keys has worked reasonably well for SSH, and users are effectively taking leaps of faith all the time on the web anyways. By pinning some things about their peers we can make the leap of faith have better properties, namely to force any MITMs to continue being there or face detection. Besides, economics matters. If a "hack" is good enough for 95% of cases and cheap enough then it's better than a more elegant but also more expensive solution. It may well be that pinning is not a cheap hack that works, but we've certainly not established that yet. > Quick hacks certainly have value in the short and medium terms, but it's best > to keep them simple. The semantics of pinning just keys have turned out to be > weird enough, and getting an X.509 extension (or whatever) to express "always > require a stapled OCSP response" will also probably turn out to be > surprisingly weird, or at least amusing. I didn't say "pin just keys". Instead I'm proposing that certs tell you what about them is safe to pin, and if several factors can be pinned then how many can be expected to change before breaking the pin. A TLS extension can be used to warn about upcoming discontinuities too. > I guess I'm saying we should keep our eye on an elegant and general > *solution* rather than elegantating and generalizing our *hacks*. A public > log is, IMHO, the elegant and general solution. If there was a simple, general, elegant solution we'd have had consensus on it long ago. Yes, I do want auditable CAs, of course. Is that enough? I'm not sure. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
