Viktor Dukhovni: > On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote: > > > Maybe fingerprinting would work, though. I'll give it a shot on a test > > system. Thanks for the suggestion. > > Fingerprinting the leaf certificate will work until the next time > they deploy a new leaf certificate without notifying you in advance. > This is because fingerprint security does not rely on a valid chain > of signatures from a trusted root, but does depend on matching the > exact certificate or public key.
Presumably, this would not be a problem with public-key fingerprints until they change the key itself. Wietse