DSA is unlikely to be widespread enough to cause problems. But I cannot be confident that the same problem is not going to appear with ECC parameters. (sorry for the double negative).
I don't like a solution for pinning that depends on the CA delivering the 'right' sort of cert. I would prefer to add in a second hash over the parameter values or specify them explicitly in the pin or to have the hash be over what the values would be if completely specified in the Key Info. On Tue, Dec 13, 2011 at 1:11 AM, Yoav Nir <[email protected]> wrote: > True. I don't expect DSA to ever become viable enough to worry about. I > think if you ran the same select for ECDSA, you would come up with zero, > but there is some expectation of that changing in the long run. > > By now all the major browsers except Opera support ECDSA, so we might be > seeing some of those when websites feel it's safe to abandon the > IE6-on-Windows-XP and old Macs. > > On Dec 13, 2011, at 2:55 AM, Chris Palmer wrote: > > > Of these, the handful that I spot-checked are all either down, > > expired, or have been replaced with certificates for RSA keys. > > > > On Mon, Dec 12, 2011 at 4:37 PM, Chris Palmer <[email protected]> wrote: > >> Also, FWIW, from the EFF SSL Observatory: > >> > >> mysql> select distinct `Subject Public Key Info:Public Key Algorithm` > >> from valid_certs; > >> +----------------------------------------------+ > >> | Subject Public Key Info:Public Key Algorithm | > >> +----------------------------------------------+ > >> | rsaEncryption | > >> | dsaEncryption | > >> +----------------------------------------------+ > >> 2 rows in set (4.09 sec) > >> > >> mysql> select count(*) from valid_certs where `Subject Public Key > >> Info:Public Key Algorithm` like '%dsa%'; > >> +----------+ > >> | count(*) | > >> +----------+ > >> | 25 | > >> +----------+ > >> 1 row in set (3.26 sec) > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
