On Mon, Oct 8, 2012 at 3:49 PM, Charles Mills <charl...@mcn.org> wrote: > Aren't you talking here about the client's validation of the server's > credentials? That's useful information, but my question was about server > validation of client certificates ... It cuts both ways. Both the client and server can perform the additional validations.
Jeff > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Monday, October 08, 2012 11:13 AM > To: OpenSSL Users List > Subject: Re: Best practice for client cert name checking > > On Mon, Oct 8, 2012 at 9:25 AM, Mark H. Wood <mw...@iupui.edu> wrote: >> On Mon, Oct 08, 2012 at 07:42:04AM +0000, Marco Molteni (mmolteni) wrote: >>> try searching for "certificate pinning". If you are familiar with >>> ssh, it is the same concept of the StrictHostKeyChecking option >>> (although obviously SSH and TLS are completely distinct protocols and >>> by default SSH doesn't use X.509 certs). >>> >>> The idea is: with a standard TLS connection, acting as TLS client, >>> you connect to an host for the first time and you receive its >>> certificate. The standard TLS verifications are successful (meaning: >>> the certificate really belongs to the host and it has been issued by >>> a CA you trust). When the connection is closed, a normal TLS client will >>> forget the certificate. >>> >>> On the other hand, certificate pinning remembers the certificate. >>> Pinning means storing locally such certificate and associate it to >>> the hostname you connected to. If the next time you connect the >>> certificate has changed, a system supporting certificate pinning will warn >>> you. >> >> I believe this is what the Certificate Patrol plugin for Firefox is >> doing, if you want to see it in action. > This plug-in pins certificates (not public keys), and creates a lot of > spurious noise on some sites (for example, Google and Gmail). It desensitizes > the user. > > I've been running experiments on Google and Gmail for the last couple of > years. If you are pinning for those sites, you definitely want to pin public > keys. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org