[cabfpub] [cabfman] Improving the security of EV Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Dec 18 21:39:31 UTC 2013

On 12/18/2013 11:32 PM, From Ryan Sleevi:
> On Wed, Dec 18, 2013 at 1:23 PM, Eddy Nigg (StartCom Ltd.) 
> <eddy_nigg at startcom.org <mailto:eddy_nigg at startcom.org>> wrote:
>     On 12/18/2013 10:14 PM, From Ryan Sleevi:
>>     > How did you arrive at that sum? Pinning shouldn't really cost
>>     anything once the code is in the browsers. I also assume that
>>     code changes for CT wouldn't be any cheaper than that.
>>     Pinning is NOT just a nob you turn. It carries huge operational
>>     risks to realize the preventative guarantees
>     Are we talking about the same thing here?
> Absolutely.
> If you haven't followed the IETF discussions about pinning, I 
> absolutely encourage you to do so.

Sadly I don't have much time for IETF discussions, but...

> The pinning draft itself is careful to spell out that there are 
> non-trivial risks aplenty with pinning, BUT it can provide 
> *preventative* mitigation.

WHAT? With pinning I understand to pin a particular certificate to a 
particular host name in the browser. Is this what you are talking about?

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/868f3b37/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/868f3b37/attachment-0001.p7s>

More information about the Public mailing list