On Fri, Nov 15, 2013 at 10:26 AM, Winfried Tilanus <[email protected]>wrote:
> Now take a look at the manifesto. It states: > > "provide user or administrative interfaces showing: > (...) > o a warning about any changes to a server's certificate" > > that last point IS certificate pinning. > That's not quite what Ralf is asking for. He's asking for (one of the) pinning mechanisms which allow a certificate transition to itself be authenticated. They're actually mechanisms to allow pinning to work, rather than pinning per-se. Mostly, they operate either by an additional level of indirection (ie, essentially a mini-CA) or by advance notice signed by the original certificate - there's a number of options, but they all boil down to a method to remove that "ask the user" phase when the certificate changes, by allowing the client to make the assertion that the new certificate has the same identity as the old one. Dave.
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
