On 04/24/2014 03:24 PM, Ryan Sleevi wrote: > I don't agree that pinning the EE's signer is necessarily good advice - > CAs regularly rotate their intermediates (eg: for CRL partitioning), so > it's hard to suggest that's a good, long-term stable solution.
just wanted to give real-world confirmation on this: with heartbleed i
know a lot of folks have done a lot of cert reissuance. at least one CA
has re-issued certs in this context from a different intermediate CA
than the original cert was issued from. Had the re-issuing site been
pinning to its immediate issuer, the re-issued cert would have been
rejected by pinning clients.
> Really, the
> solution is for the site operator to coordinate with their CA and work on
> recommended pinning practices for the CA's PKI.
I agree with this, and that CAs need to be much clearer (to both
subscribers and relying parties) about their planned infrastructure
transitions.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
