[Ach] bettercrypto.org cert blocked in chrome 56
Alice Wonder
alice at librelamp.com
Fri Dec 2 10:23:57 CET 2016
On 12/02/2016 12:47 AM, Terje Elde wrote:
>
>> On 30 Nov 2016, at 22:51, Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:
>>
>>> when pinning your certificates you can include one whose
>>> coresponding key is not on the machine but acts as the backup key, maybe
>>> even offline.
>>>
>>
>> Not "can", its not an option it is mandatory!
>>
>> The browsers will NOT accept HPKP pinning if you don't add an currently unused backup key.
>
> Just a quick reminder:
>
> It can be a backup key that you have, but it can also be that of another CA. Or completely random. Bad idea, but the browsers would accept it.
Oh and for what it is worth, if you don't trust the CAs (I don't) then
it seems counter-productive to add a fingerprint from a CA that would
allow the CA to easily issue certificates that would then validate.
But you can also do something insecure like that with DANE, the TLSA
record can be for a certificate authority.
That may be useful for a private corporate certificate authority used on
a corporate network, but whether DANE or HPKP it is a bad idea to do it
with a public certificate authority.
More information about the Ach
mailing list