On 02-07-13 17:32, coderman wrote: > On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <[email protected]> wrote: >> ... >> Check >> http://perspectives.project.org; >> Transparency: http://www.certificate-transparency.org/; >> or others. >> ... >> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA >> proposal. > > > i would still prefer the best option where available: certificate > pinning from the service and application provider directly. e.g. > Google Chrome cert pins for Google services.
Certificate pinning certainly provides the best protection when connecting to Gmail with a Google provided Chrome browser running a Google provided operating system. I don't expect them to provide anything less (secure) for their customers/users. But it does nothing to protect me when connecting to sites that Google does not include in their pinning list. There I have the same problem as before. > > you can also roll your own root and server certificate validation > rules using out of band determination of "valid" server / ca certs if > you don't trust third parties to do this properly! difficulty varies > by application and platform... Those third parties have proven not to be trustworthy. That's why we need monitoring systems like Perspectives, CT. And DNSSEC/DANE or CAA to tell us which certificate authority to expect. Cheers, Guido. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
