On 03/04/2013 07:57 PM, Ryan Sleevi wrote: > As discussed during Atlanta, the way that pinning is currently implemented > within Google Chrome, pinning is only enforced as it relates to so-called > "public trust anchors" (eg: those shipped by default as part of a browser > or OS installation, not those installed by a user).
Sorry -- i wasn't in Atlanta, so i don't know the context or background
for this. Can you explain more?
Consider the case where pre-loaded trust anchor ("trusted root
certificate authority") X certified my web server's EE certificate with
pubkey Y, and i published a pin on Y and my backup pubkey Z (but no pin
on X).
Are you saying that if i switch my server to use Z, and it is certified
by some non-(pre)loaded trust anchor (or it is self-signed), then Google
Chrome will not respect the pinning and the connection will fail?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
