On 5/09/11 7:23 PM, Gervase Markham wrote:
The thing which makes the entire system as weak as its weakest link is
the lack of CA pinning.
Just a question of understanding: how is the CA pinning information
delivered to the browser?
(For those who don't know, I also had to look it up too
On 2011-09-06 9:35 AM, Ian G wrote:
(Another sign that the processes aren't doing the job is that CABForum's
solution is to add more audits. We're up to 4, now, right? WebTrust, BR,
EV, vendor. Would 5 do it? 6?)
Shades of Sarbannes Oxley.
___
the browser
vendors have
chosen to prevent them from employing any other option (I can't, for
example, turn on TLS-PSK or TLS-SRP in my server, because no browsers
support it - it would make the CAs look bad if it were deployed).
Patches welcome? (Or did we reject them already? :-)