[Ach] Recommendations creating CSRs

Hanno Böck hanno at hboeck.de
Tue Oct 14 13:58:44 CEST 2014

Am Tue, 14 Oct 2014 13:30:09 +0200
schrieb Aaron Zauner <azet at azet.org>:

> * Hanno Böck <hanno at hboeck.de> [141014 10:38]:
> > HPKP is about to become RFC very soon.
> Yup. saw that as well. Which is kind of interesting because the HPKP
> authors do not like the TACK concept (at least that's what they told
> me on twitter). I'm not really sure why they like key pinning for
> HTTP but not for TLS in general.

I don't know, but there is one obvious advantage of HPKP: It completely
works within existing protocols.
You can deploy it without changing any software.

I would also have preferred a TLS solution, however having HPKP is
certainly an improvement to the situation as it was ("we know the CA
system is completely broken and total utter crap but we can't do
anything about it").

We'll have to live with it as it is. Maybe we'll have a split: HTTPS
will continue using HPKP and we'll have a new (TACK or something else)
way of pinning once people realize that this is an important feature
and we need it everywhere.

Google's motivation can probably be explained that they do HTTP and
don't do much else that needs a feature like this. I think they already
said they don't like imap any more.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20141014/7e6387fc/attachment.sig>

More information about the Ach mailing list