Yo Richard! On Thu, 28 Mar 2019 18:14:16 -0500 Richard Laager via devel <devel@ntpsec.org> wrote:
> On 3/28/19 6:07 PM, Gary E. Miller via devel wrote:
> > Yo Richard!
> >
> > On Thu, 28 Mar 2019 17:55:36 -0500
> > Richard Laager via devel <devel@ntpsec.org> wrote:
> >
> >> On 3/28/19 5:47 PM, Gary E. Miller via devel wrote:
> >>> Don't care. I like that the cert is pinned.
> >>
> >> There is a downside. Every time it changes, you have to take a
> >> leap of faith when you re-pin it, rather than getting normal CA
> >> validation.
> >
> > You miss the point, this is addition to normal CA validation, not
> > an alternative to it. Just like HPKP.
>
> No, it's not. Pidgin only pops up that dialog if it can't validate the
> certificate. So validation has failed, and you're taking a leap of
> faith to accept the new certificate each time it changes.
So, maybe, the message is imprecise: The cert changed, please approve.
But, once again, I don't care exactly what Pidgin is doing. Just using
it as one of many comman examples of how key pinning is done all around
us all the time. There are the good, the bad, and the ugly.
We just need to decide what is correct for NTPsec to do.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpTFrV0UQ46j.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
