[Ach] bettercrypto.org cert blocked in chrome 56
alice at librelamp.com
Fri Dec 2 10:18:55 CET 2016
On 12/02/2016 12:47 AM, Terje Elde wrote:
>> On 30 Nov 2016, at 22:51, Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:
>>> when pinning your certificates you can include one whose
>>> coresponding key is not on the machine but acts as the backup key, maybe
>>> even offline.
>> Not "can", its not an option it is mandatory!
>> The browsers will NOT accept HPKP pinning if you don't add an currently unused backup key.
> Just a quick reminder:
> It can be a backup key that you have, but it can also be that of another CA. Or completely random. Bad idea, but the browsers would accept it.
> On another note;
> In general, when comparing and contrasting the CA-system, DANE/DNSSEC and HPKP, let’s also keep the following in mind;
> HPKP allows me to lock users into my keys. It gives me control over which keys the users will trust for my domains, and the services I’m trying to securely provide them with.
> Neither the CA-system nor DANE/DNSSEC really does that, not in a generic and “always" accessible way.
DNSSEC locks the user into fingerprints signed by my private signing
key. This is not a signing key that the TLD has access to.
You can argue that a nefarious actor could create their own signing key
and get the TLD to sign the DS records associated with that key, but
that is a very visible action that would be seen in the DNS responses
from the TLD. It's out in the open.
More information about the Ach