RE: Use of Certificate/Public Key Pinning

with care. -Tim > -Original Message- > From: dev-security-policy On > Behalf Of Ryan Sleevi via dev-security-policy > Sent: Wednesday, August 14, 2019 2:08 PM > To: Nuno Ponte > Cc: mozilla-dev-security-policy > > Subject: Re: Use of Certificate/Public Key Pin

Re: Use of Certificate/Public Key Pinning

On Tue, Aug 13, 2019 at 11:12 AM Nuno Ponte via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Dear m.d.s.p., > > I would like to bring into discussion the use of certificate/public key > pinning and the impacts on the 5-days period for certificate revocation > according to

Re: Use of Certificate/Public Key Pinning

I feel that there's a great deal of consultancy and assistance that CAs and PKI professionals could bring to their more sophisticated customers with scenarios such as these where public key pinning an a field-deployed application may present problems for certificates being revoked. A best

Re: Use of Certificate/Public Key Pinning

PKP is a footgun. Deploying it without being prepared for the situations you've described is ill-advised. There's a few options available for organizations who want to pin, in increasing order of sophistication: Enforce Certificate Transparency. You're not locked into any CA or key, only that

Re: Use of Certificate/Public Key Pinning

On Mon, 12 Aug 2019, Nuno Ponte via dev-security-policy wrote: Recently, we (Multicert) had to rollout a general certificate replacement due to the serial number entropy issue. Some of the most troubled cases to replace the certificates were customers doing certificate pinning on mobile apps.