Aaron Gable <[email protected]> writes: >pinning roots is better than pinning intermediates. And I'll reiterate that >various Root Programs are moving towards enforcing short intermediate >lifetimes, so this idea is not just restricted to CAs.
Just a minor nit here, talking about "pinning roots" is a bit of an oxymoron because they're hardcoded into the trust store and you can't choose to pin them. If you want to give that any sort of name then perhaps it'd be supergluing, but pinning, choosing to remember a certificate for future use, it ain't. In effect the use of dynamic intermediates kills pinning, because any ability for the user to remember a known-good certificate for future use is made impossible. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ME3PR01MB624222904F1155DF149D5BBDEE92A%40ME3PR01MB6242.ausprd01.prod.outlook.com.
