[cabfpub] [cabfman] Improving the security of EV Certificates
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Wed Dec 18 16:23:41 MST 2013
On 12/19/2013 12:46 AM, From Hill, Brad:
>
> I guess nobody knows what you’re talking about, then.
>
> If you mean that every individual end-user ought to manually associate
> certificates to website addresses in their browser(s) then naïve is
> not a strong enough word.
>
But this is exactly how Diginotar was detected however - basically a few
emails back I suggested that browser vendors nail the most important
sites in their browser as "pins" and allow users to pin additional
certificates to the respective sites. It's a very simple and efficient
way to get some protection and allows detection for the most important
sites.
I assume it's the same thing Rick referred to a few emails back as well.
It's something that can be implemented easily at the client software as
Google has already shown and the interested folks that have some
understanding can refine it for their use.
I'm sure I'm not alone who uses the word "pinning" or to "pin a
certificate" for this.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131219/7a2d0c4e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20131219/7a2d0c4e/attachment-0001.bin
More information about the Public
mailing list