[cabfpub] Public key pinning (Was: Notes of meeting)

Rick Andrews Rick_Andrews at symantec.com
Thu Jul 12 17:56:25 UTC 2012

> Is path-building really non-deterministic?
> There can be multiple routes, but my (perhaps naive) understanding is
> that multiple paths doesn't happen in the common website-on-the-internet
> case, at least not for end-entity certs or the intermediates directly
> above them. But perhaps someone can tell me I'm wrong.

Symantec has been issuing SSL certs with dual paths for some time now. We do it to migrate to 2048-bit roots without shutting out older browsers that don't contain those roots. I would say the chain is deterministic; the leg leading to the 2048-bit root is shorter than the leg leading to the 1024-bit root, and that's what causes IE (at least) to favor the short chain over the long chain if it has both roots.


More information about the Public mailing list