[cabfpub] [cabfman] Improving the security of EV Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Dec 18 16:23:41 MST 2013


On 12/19/2013 12:46 AM, From Hill, Brad:
>
> I guess nobody knows what you’re talking about, then.
>
> If you mean that every individual end-user ought to manually associate 
> certificates to website addresses in their browser(s) then naïve is 
> not a strong enough word.
>

But this is exactly how Diginotar was detected however - basically a few 
emails back I suggested that browser vendors nail the most important 
sites in their browser as "pins" and allow users to pin additional 
certificates to the respective sites. It's a very simple and efficient 
way to get some protection and allows detection for the most important 
sites.

I assume it's the same thing Rick referred to a few emails back as well. 
It's something that can be implemented easily at the client software as 
Google has already shown and the interested folks that have some 
understanding can refine it for their use.

I'm sure I'm not alone who uses the word "pinning" or to "pin a 
certificate" for this.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131219/7a2d0c4e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20131219/7a2d0c4e/attachment-0001.bin 


More information about the Public mailing list