Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Ralph Holz <> Tue, 05 October 2010 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF3C43A6F8B for <>; Tue, 5 Oct 2010 09:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, HELO_EQ_DE=0.35, MISSING_HEADERS=1.292]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lWKHK4jmg6gD for <>; Tue, 5 Oct 2010 09:47:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4D7D53A6CE1 for <>; Tue, 5 Oct 2010 09:47:43 -0700 (PDT)
Received: (qmail 7722 invoked by uid 89); 5 Oct 2010 18:48:40 +0200
Received: from (HELO ? ( by with ESMTPA; 5 Oct 2010 18:48:40 +0200
Message-ID: <>
Date: Tue, 05 Oct 2010 18:48:39 +0200
From: Ralph Holz <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Oct 2010 16:47:44 -0000


>   I am guessing here that you are in favor of pinning certs?
> If my guess is correct, can you tell us all why you are?

I am not sure I am in favour. The practical argument for it would be
that a changed certificate should be reason for a user to stop for a
moment and think. OK for now, maybe. However, many certs have life-times
of 1 year or 2. Given that one day we may visit many more https-secured
sites, we would likely see more false alerts again soon, too - precisely
the thing that Firefox has been criticised for when it introduced its
new warning dialogue.

On a more theoretical basis, I am also not sure if the 1:1 binding of
"one entity/identity - one key" is desirable.

Still, given the current PKI trust model and the current state of PKI as
such, I would probably vote with those in favour of pinning for the moment.

> I am not as there are instances where a perfictly valid cert
> is used but that the issuing CA has had their Cert database
> hacked or corrupted and a secondary Cert becomes necessary
> or at least preferrable as a temporary fix.  Of course such
> a cert would need to be issued by a different CA.

Well... listening to CAs and their EV statements, such things should not
happen too often anyway. It should not be a argument against pinning.

Best regards,