On Apr 12, 2021, at 12:22 PM, Joseph Salowey <[email protected]> wrote: > [Joe] without some sort of name matching using certs from a public CA is > unwise.
The only other alternative is to "pin" the server cert. Many systems support this. Perhaps mentioning Time of First Use (TOFU) would help here. i.e. if the peer pins both the CA and the server cert, then the contents of the server cert matter less. All that matters is that the peer detects if/when the server cert changes. If we rely on names, then which one? There are many fields in a certificate which could be used. > After looking into this in some depth, the only real thing you can depend > on is the CA. If the CA is trusted, nothing else matters. If the CA is not > trusted, then nothing else matters. > > [Joe] In this case we would have to rule out CAs that are not under the > organizations control (public CAs) Only if the peer doesn't notice if the server cert changes. I think it's safe to recommend that clients pin both the server cert and the CA cert. Anything else is "there be dragons". Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
