[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network security manager

From: Lars Magne Ingebrigtsen
Subject: Re: Network security manager
Date: Wed, 19 Nov 2014 12:19:46 +0100
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> I am not a cryptographer so I hope some of those step in and suggest
> what's best. To me from what I know and based on the cited references,
> it seems it could be a choice but pinning the public key is better for
> most people. They won't have to accept again every time the certificate
> is reissued.

Hm...  might one not want to track the certificate, though?  If it's
changed, then there might be shenanigans.

But if the attacker can generate traffic with the trusted public key,
the site would have larger problems than with the certificate, so
perhaps it doesn't add anything much security-wise...

> Also, we're hashing the SubjectPublicKeyInfo not the public key bit
> string. The SPKI includes the type of the public key and some parameters
> along with the public key itself.

Does gnutls have a function to fingerprint that info?  Or access it in
raw form?  I guess we could just sha1 it ourselves.

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]