[Top] [All Lists]

Re: [openpgp] New fingerprint: to v5 or not to v5

2015-10-09 21:11:57
Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> write:

For X.509, we do have certificate fingerprints, but they turn out to not be
particularly useful.

Actually they're very useful if you're doing proper checking in your PKI (so
not relying on commercial CAs or any of the X.500/X.509 folderol that doesn't
work), you either fingerprint the cert(s) you expect to see (e.g. for securing
a web service for a mobile app) or the CA cert that you rely on to issue certs
you can rely on. You can also use them for cute things like self-certifying
URLs, the first part of the FQDN is a hash of the cert at that location.


openpgp mailing list