On Fri, Jun 13, 2014, John R Levine wrote:
Oh, another questions: why would you need more than
TLSPIN 12345
where 12345 is the number of seconds to pin the certificate you just saw?
Because people use different certificates for the same "host" (not
just same hostname, but even same IP address). MeTA1 has an experimental
cert-pinning feature and it very often logs that the presented cert
doesn't match the previous cert -- it currently only stores one per
IP address (that's why the feature is experimental...)
Hence you need to be able to offer a multiple valid cert fingerprints
(probably with individual TTLs), e.g.,
250-PKP SHA256=d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM= TTL=200000
250-PKP SHA256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= TTL=100000
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp