Matthew Selsky via devel writes: > Do you have an example of software the implements pinning as BOTH a > central trust store + a specific pin?
Pinning doesn't provide a trust store, it restricts it. > postfix allows the user to specific a trust-anchor file per destination. So a > typical postfix tls policy table (when you need specific TLS policy rules) > might have: > > foo.com secure tafile=/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem > bar.com secure > > So foo.com is required to match a specific commercial CA and bar.com is > allowed to match any CA in the system trust store. Yes, except that larger servers would probably want to have multiple CA listed. But in general I think giving NTS it's own trust anchors (either generally or per host) is the right way forward. Also scope restrictions (PKIX) should be evaluated. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
