[cabfpub] Notice of Certificate Issuance

Gervase Markham gerv at mozilla.org
Tue Dec 6 16:28:11 UTC 2016

Hi Dean,

On 05/12/16 10:36, Dean Coclin wrote:
> Third party
> applications or platforms that have an Intermediate CA embedded as a
> root certificate may not operate as designed after the Intermediate
> CA has been rekeyed. 

Right, but embedding an intermediate as a root in client software is not
the same thing as pinning. Embedding means "all chains this client sees
must go through this intermediate", which clearly wouldn't work if the
intermediate changed. Pinning will continue to work fine as long as you
don't revoke the old intermediate. The issue comes when they come back
to you and say "we need a new cert from this intermediate", and you say
"but we aren't using it any more".

So perhaps best practice for key pinning should include obtaining a
renewed end-entity certificate far enough in advance, with that being
defined as old certificate expiration date minus pin duration minus
flexibility margin, so you have time to change or augment your pins if


More information about the Public mailing list