[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-13 19:18:38
On Fri, Jun 13, 2014, John R Levine wrote:

Oh, another questions: why would you need more than

TLSPIN 12345

where 12345 is the number of seconds to pin the certificate you just saw?

Because people use different certificates for the same "host" (not
just same hostname, but even same IP address). MeTA1 has an experimental
cert-pinning feature and it very often logs that the presented cert
doesn't match the previous cert -- it currently only stores one per
IP address (that's why the feature is experimental...)

Hence you need to be able to offer a multiple valid cert fingerprints
(probably with individual TTLs), e.g.,

250-PKP SHA256=d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM= TTL=200000
250-PKP SHA256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= TTL=100000

ietf-smtp mailing list