[Ach] bettercrypto.org cert blocked in chrome 56

Alice Wonder alice at librelamp.com
Fri Dec 2 10:23:57 CET 2016

On 12/02/2016 12:47 AM, Terje Elde wrote:
>> On 30 Nov 2016, at 22:51, Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:
>>> when pinning your certificates you can include one whose
>>> coresponding key is not on the machine but acts as the backup key, maybe
>>> even offline.
>> Not "can", its not an option it is mandatory!
>> The browsers will NOT accept HPKP pinning if you don't add an currently unused backup key.
> Just a quick reminder:
> It can be a backup key that you have, but it can also be that of another CA.  Or completely random.  Bad idea, but the browsers would accept it.

Oh and for what it is worth, if you don't trust the CAs (I don't) then 
it seems counter-productive to add a fingerprint from a CA that would 
allow the CA to easily issue certificates that would then validate.

But you can also do something insecure like that with DANE, the TLSA 
record can be for a certificate authority.

That may be useful for a private corporate certificate authority used on 
a corporate network, but whether DANE or HPKP it is a bad idea to do it 
with a public certificate authority.

More information about the Ach mailing list