[cabfpub] Improving the security of EV Certificates
Rick Andrews
Rick_Andrews at symantec.com
Thu Dec 19 01:32:50 UTC 2013
Thanks, Chris. I’ll re-read the latest spec.
From: Chris Palmer [mailto:palmer at google.com]
Sent: Wednesday, December 18, 2013 5:25 PM
To: Rick Andrews
Cc: public at cabforum.org
Subject: Re: [cabfpub] Improving the security of EV Certificates
On Wed, Dec 18, 2013 at 5:16 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
I concede that CT and pinning don't accomplish the same thing. They can both detect if a certificate was mis-issued for an existing web site that the domain owner knows about (say, www.example.com<http://www.example.com>), but pinning cannot detect that a certificate was mis-issued for a web site that the domain owner doesn't know about (say, myfakesite.example.com<http://myfakesite.example.com>). This is a shortcoming of pinning that was not apparent to me until now.
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09#section-2.1.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/5db675e1/attachment-0003.html>
More information about the Public
mailing list