[Ach] HTTP key pinning (HTKP)
hanno at hboeck.de
Wed Mar 19 23:27:58 CET 2014
On Wed, 19 Mar 2014 23:15:13 +0100
Aaron Zauner <azet at azet.org> wrote:
> This memo describes an extension to the HTTP protocol allowing web
> host operators to instruct user agents (UAs) to remember ("pin")
> the hosts' cryptographic identities for a given period of time.
> During that time, UAs will require that the host present a
> certificate chain including at least one Subject Public Key Info
> structure whose fingerprint matches one of the pinned fingerprints
> for that host. By effectively reducing the number of authorities who
> can authenticate the domain during the lifetime of the pin, pinning
> may reduce the incidence of man-in-the-middle attacks due to
> compromised Certification Authorities.
Any idea why this is done on HTTP? I'd say wrong layer - you want
the same functionality for TLS in general.
And: Isn't this basically the same idea as TACK?
mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the Ach