[Ach] HTTP key pinning (HTKP)

Hanno Böck hanno at hboeck.de
Wed Mar 19 23:27:58 CET 2014

On Wed, 19 Mar 2014 23:15:13 +0100
Aaron Zauner <azet at azet.org> wrote:

>    This memo describes an extension to the HTTP protocol allowing web
>    host operators to instruct user agents (UAs) to remember ("pin")
> the hosts' cryptographic identities for a given period of time.
> During that time, UAs will require that the host present a
> certificate chain including at least one Subject Public Key Info
> structure whose fingerprint matches one of the pinned fingerprints
> for that host.  By effectively reducing the number of authorities who
> can authenticate the domain during the lifetime of the pin, pinning
> may reduce the incidence of man-in-the-middle attacks due to
> compromised Certification Authorities.

Any idea why this is done on HTTP? I'd say wrong layer - you want
the same functionality for TLS in general.

And: Isn't this basically the same idea as TACK?

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/a14cbdf7/attachment.sig>

More information about the Ach mailing list