[cabfpub] Notice of Certificate Issuance
Gervase Markham
gerv at mozilla.org
Tue Dec 6 09:28:11 MST 2016
Hi Dean,
On 05/12/16 10:36, Dean Coclin wrote:
> Third party
> applications or platforms that have an Intermediate CA embedded as a
> root certificate may not operate as designed after the Intermediate
> CA has been rekeyed.
Right, but embedding an intermediate as a root in client software is not
the same thing as pinning. Embedding means "all chains this client sees
must go through this intermediate", which clearly wouldn't work if the
intermediate changed. Pinning will continue to work fine as long as you
don't revoke the old intermediate. The issue comes when they come back
to you and say "we need a new cert from this intermediate", and you say
"but we aren't using it any more".
So perhaps best practice for key pinning should include obtaining a
renewed end-entity certificate far enough in advance, with that being
defined as old certificate expiration date minus pin duration minus
flexibility margin, so you have time to change or augment your pins if
necessary.
Gerv
More information about the Public
mailing list