[Ach] HTTP key pinning (HTKP)
Hanno Böck
hanno at hboeck.de
Wed Mar 19 23:27:58 CET 2014
On Wed, 19 Mar 2014 23:15:13 +0100
Aaron Zauner <azet at azet.org> wrote:
> This memo describes an extension to the HTTP protocol allowing web
> host operators to instruct user agents (UAs) to remember ("pin")
> the hosts' cryptographic identities for a given period of time.
> During that time, UAs will require that the host present a
> certificate chain including at least one Subject Public Key Info
> structure whose fingerprint matches one of the pinned fingerprints
> for that host. By effectively reducing the number of authorities who
> can authenticate the domain during the lifetime of the pin, pinning
> may reduce the incidence of man-in-the-middle attacks due to
> compromised Certification Authorities.
Any idea why this is done on HTTP? I'd say wrong layer - you want
the same functionality for TLS in general.
And: Isn't this basically the same idea as TACK?
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/a14cbdf7/attachment.sig>
More information about the Ach
mailing list