[Top] [All Lists]

Re: [ietf-smtp] certificate pinning

2014-06-13 19:26:27
On Jun 13, 2014 5:18 PM, "Claus Assmann" <ietf-smtp(_at_)esmtp(_dot_)org> wrote:

On Fri, Jun 13, 2014, John R Levine wrote:

Oh, another questions: why would you need more than

TLSPIN 12345

where 12345 is the number of seconds to pin the certificate you just

Because people use different certificates for the same "host" (not
just same hostname, but even same IP address). MeTA1 has an experimental
cert-pinning feature and it very often logs that the presented cert
doesn't match the previous cert -- it currently only stores one per
IP address (that's why the feature is experimental...)

Hence you need to be able to offer a multiple valid cert fingerprints
(probably with individual TTLs), e.g.,

250-PKP SHA256=d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM= TTL=200000
250-PKP SHA256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= TTL=100000

Also, for replacement.  You can advertise before you issue the new cert, at
least for planned replacements, if you aren't pinning to something up the

For us, we roll out certs with new releases and canary them to ensure we
don't break clients (and we have broken clients in the past with new
certs), so its possibly for new connections to go to either prod or
canary.  Ditto for when we upgraded from 1024 to 2048 bit certs.


ietf-smtp mailing list
ietf-smtp mailing list