Yo Richard! On Thu, 28 Mar 2019 17:00:51 -0500 Richard Laager via devel <devel@ntpsec.org> wrote:
> On 3/28/19 3:01 PM, Gary E. Miller via devel wrote: > > server nts3-e.ostfalia.de:443 nts noval pin > > 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 > > I think the "pin" option should take (as an argument or in its name), > the hash algorithm being used (presumably SHA-256 here, but it could > change in the future). For example, HPKP uses pin-sha256 as the name. If we are going to design the option, then it needs to algorithm, and what it is pinned to. You can pin to the provided cert, the cert that signed the cert, the full chain of the cert, the root that signed the cert, or just the public key of the cert. Some pinning clients also specify a max age for the pin. This goes into detail on many of the options: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning Here is sample C code to have OpenSSL do pinning: https://www.owasp.org/images/f/f7/Pubkey-pin-openssl.zip RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpVqu6uXXmVf.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel