I think that the complexity of pinning and the consequences of getting it wrong are going to mean that this is something that should only be done by the very competent and knowledgable or those who hand over administration of their systems to such. This may be in the form of outsourced provision or code that does the right thing and makes it hard to do the wrong thing.
I don't think the capabilities/ease of use of currently existing free DIY cert signer kits should be the criteria to measure against. If this is going to work people need to be using tools designed for the purpose of managing the whole thing end to end. Even if that is only a Perl front end on those fee tools, there is going to need to be something that walks the sysadmin through. Rather than look at the extent of the changes required, I prefer to look at the number of components in the system that need to be touched. I would rather make two separate modifications to the CA than one to the CA and another to the Web server. In general, every piece of the system that has to be touched costs when it comes to deployment. We are going to have to touch the CA/cert server system to make pinning work. (Even if only because the CAs are the people who explain to the typical admin how to make all of this work). So far we do not need to make changes to the Web server beyond adding static headers which is something most Web servers already support. Changing the TLS component of the Web server opens a box labelled 'code' and gets us into some really long product cycle delays. Like on IIS for example. On Mon, Oct 17, 2011 at 6:53 PM, Marsh Ray <[email protected]> wrote: > On 10/17/2011 05:21 PM, Chris Palmer wrote: > >> >> Your average sys admin is more comfortable telling Apache to send a >> particular header with particular text than wrangling openssl(1) to >> add various extensions to a certificate. >> > > My understanding is that most people just generate their certs directly > using their CA's web interface and download the result. > > On one hand this would suggest that admins will be ill-prepared to set > custom x509 extensions. On the other, we may find that CAs are quite > receptive to new features which support pinning customers to > themselves. > > - Marsh > > ______________________________**_________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/**listinfo/websec<https://www.ietf.org/mailman/listinfo/websec> > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
