ietf
[Top] [All Lists]

Re: [IAB] Mandatory encryption as part of HTTP2

2013-11-18 01:24:19
At 16:49 17-11-2013, Theodore Ts'o wrote:
One of the reasons why the bogus Diginotar certificates were detected
was because Google Chrome had a feature called "certificate pinning"
--- which is not a feature normally associated with PKI's.  It's
unfortunately not all that scalable, since it involved hard-coding
certificates, or their hashes, in the browser binary.  The challenge
is coming up with a solution that *is* more scalable, and less
dependent on trusting that CA's are competently run.

Yes.

The certificate was issued on July 10, 2011. The user report was filed on August 27, 2011.

At 17:32 17-11-2013, Phillip Hallam-Baker wrote:
Diginotar would have noticed the issue if they had been checking their OCSP logs as well.

This raises the question of whether the ETSI audits were of any use.

Regards,
-sm