IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

James Nicoll <jrn@st-andrews.ac.uk> Tue, 13 September 2011 10:40 UTC

Return-Path: <jrn@st-andrews.ac.uk>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E18FA21F8B4A for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 03:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id te6-XHPlMtit for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 03:40:36 -0700 (PDT)
Received: from wallace.st-andrews.ac.uk (wallace.st-andrews.ac.uk [138.251.30.31]) by ietfa.amsl.com (Postfix) with ESMTP id 1430421F8B42 for <websec@ietf.org>; Tue, 13 Sep 2011 03:40:35 -0700 (PDT)
Received: from unimail.st-andrews.ac.uk ([194.247.94.140]) by wallace.st-andrews.ac.uk (8.14.3/8.14.3/Debian-5) with ESMTP id p8DAftdE020398 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 13 Sep 2011 11:41:57 +0100
Received: from UOS-DUN-MBX1.st-andrews.ac.uk ([172.20.12.21]) by uos-dun-cas2 ([172.20.12.16]) with mapi id 14.01.0289.001; Tue, 13 Sep 2011 11:41:55 +0100
From: James Nicoll <jrn@st-andrews.ac.uk>
To: Yoav Nir <ynir@checkpoint.com>, "Richard L. Barnes" <rbarnes@bbn.com>
Thread-Topic: [websec] Certificate Pinning via HSTS
Thread-Index: AQHMcZb1Dq/HWzBLbUmvs44IICZjHJVKa12AgABTnYCAAGFYgA==
Date: Tue, 13 Sep 2011 10:41:54 +0000
Message-ID: <CA94F179.10036%jrn@st-andrews.ac.uk>
In-Reply-To: <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [138.251.194.244]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1E105253C0AD9D4AB47B6E534D12A366@st-andrews.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-StAndrews-MailScanner-ID: p8DAftdE020398
X-StAndrews-MailScanner: No virus detected
X-StAndrews-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.085, required 5, BAYES_40 -0.18, RDNS_NONE 0.10)
X-StAndrews-MailScanner-From: jrn@st-andrews.ac.uk
Cc: Chris Evans <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 10:40:37 -0000

I was under the impression that this wasn't a good idea, as periodic
replacement of the keys was done incase of an undetected compromise?

Ross


On 13/09/2011 06:53, "Yoav Nir" <ynir@checkpoint.com> wrote:

>1. Sometimes certificates are renewed periodically with the same public
>key. This is very common for sub-CAs and less so for EE certificates, but
>unless it has been compromised, or NIST recommends that you double your
>bit-length again, there's no reason not to use the same old public key
>and the new certificate

v2.23.0 | Report a Bug | By Email