Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

"Jeffrey A. Williams" <> Mon, 04 October 2010 17:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 970B83A6FE5 for <>; Mon, 4 Oct 2010 10:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.352
X-Spam-Status: No, score=-0.352 tagged_above=-999 required=5 tests=[AWL=-0.353, BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sFOIPOtaSplJ for <>; Mon, 4 Oct 2010 10:44:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E60FB3A6FB7 for <>; Mon, 4 Oct 2010 10:44:57 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327;; b=K1O2uKCoiksagT9bNueJQtRUqrS8mNP72z1galI76kNvgLARj0VilRCDRBHq9BmO; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [] ( by with esmtpa (Exim 4.67) (envelope-from <>) id 1P2p6n-0004oy-6s; Mon, 04 Oct 2010 13:45:53 -0400
Received: from by with HTTP; Mon, 4 Oct 2010 13:45:53 -0400
Message-ID: <>
Date: Mon, 4 Oct 2010 12:45:53 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <>
To: Ralph Holz <>,
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688ceb27319d864056ba25554909447d0a1350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Oct 2010 17:44:59 -0000

Ralph and all,

  I am guessing here that you are in favor of pinning certs?
If my guess is correct, can you tell us all why you are?
I am not as there are instances where a perfictly valid cert
is used but that the issuing CA has had their Cert database
hacked or corrupted and a secondary Cert becomes necessary
or at least preferrable as a temporary fix.  Of course such
a cert would need to be issued by a different CA.

-----Original Message-----
>From: Ralph Holz <>
>Sent: Oct 4, 2010 10:54 AM
>Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
>> But keep in mind that few TLS clients (such as browsers), currently
>> support "pinning" of PKIX-authenticated server certs, so that on future
>> connects only the very same server cert (with user-authenticated
>> attributes other than DNS f.q.d.n) will be accepted from that server.
>> In is very common misbehaviour in TLS clients to accept arbitrary other
>> server certs on future connects, as long as the DNS f.q.d.n matches.
>I have found during a few tests that some companies which give different
>IPs for the same DNS name also run some servers with different certs
>than the "main one". A closer look at the certs revealed that they had
>been issued for the same domain and had been signed by the same CA, i.
>e. they were perfectly valid. Pinning certs would prohibit this kind of
>Although I am not sure it is intentional - my thought was that these
>servers were just misconfigured (older cert?), as only very few
>exhibited this behaviour.
>Best regards,
>TLS mailing list

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
Phone: 214-244-4827