<noloa...@gmail.com> wrote:
> You pin a certificate by whitelisting expected server certificates
> (possibly thumbprints).

How to do that?

> There's usually no need to sign another's key
> or certificate (I've never done it that way, and never seen it done
> that way).

A little more background... Stories like the diginotar compromise [1] may 
happen again, anytime. I am developing an anonymous operating system [2]. We 
use wget to download Tor Browser from torproject.org and to access 
check.torproject.org. (Not available over secure apt.) Wget does offer ca 
pinning, but does not support certificate pinning [3].

So my original question was how do I get wget to verify the torproject.org 
fingerprint [4] without depending on root CA's? The only possible solution I 
saw was downloading the torproject.org SSL public key, run a local CA, sign the 
certificate and run wget with the --ca-certificate switch. That's why I posted 
the question "Sign public key without having CSR or private key?" here.

If there are any suggestions for this situation I am all ears.

[2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/
[3] https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00008.html
[4] https://www.torproject.org/docs/faq.html.en#SSLcertfingerprint

powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to