On Mon, Jun 13, 2022 at 02:16:03PM -0400, Daniel Migault wrote:
> Thanks for the detailed response, that is very much appreciated. When I
> wrote the initial email, I had more in mind some sort of configuration - as
> opposed to DANE. I agree that the use of PSKI should not cause any of the
> headaches associated with pinning.
Yes, and this why I explained that in OpenSSL the DANE API actually also
supports locally-configured SPKI data, via synthetic TLSA records
supplied by the application, because OpenSSL has no idea where the "TLSA
records" came from. The "TLSA 3 1 1" records purported by the
application may actually be local SPKI pins.
This makes for a more flexible and uniform interface that is agnostic
as to the source of the data, and can also pin trust-anchor (CA)
fingerprints, not just EE fingerprints.
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
