On Fri, Apr 8, 2011 at 4:02 PM, Jean-Marc Desperrier <[email protected]> wrote: > On 09/04/2011 00:52, Adam Barth wrote: >>> >>> - CA locking functionality in HSTS or via CAA >> >> ^^^^ There's significant interest in this feature from chrome-security >> as well. > > What about EV locking ? > > How does a site change CA after he's started enabling CA locking. > Would you enable multiple CA locking so that he'd start by adding the new CA > during a while when still using the old cert, and then hope for the best > after making the switch ?
All good questions. We're still in the experimental phase, so we haven't worked out all the details yet. Rather that CA pinning, specifically, we've been experimenting with certificate pinning, with the approach that you can pin any certificate in the chain. For example, you can pin your leaf certificate, or you pin your CA's certificate. The only requirement is that future certificate chains MUST include that certificate. That effectively gives you EV pinning, CA pinning, and leaf-certificate pinning in one mechanism. In addition to thinking about orderly transitions to new certificates (as you mention), there's also the case of disorderly transitions. For example, what happens if the site's private key gets compromised and it wishes to move to a new certificate before it planned. Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
