On Thu, Mar 28, 2019 at 04:38:44PM -0700, Gary E. Miller via devel wrote: > Potential extra security is just an added feature that you get for free > once you add certificate pinning to handle the ostfalia case. > > Check the pin, but do not check the chain: > > server ostfalie.de noval pin XXXXXXX > > Check the pin, and check the chain: > > server rellim.com pin YYYYYY > > Now if someone can trick a CA into giving them a valid rellim.com cert > the connection will still be secure.
Do you have an example of software the implements pinning as BOTH a central trust store + a specific pin? postfix allows the user to specific a trust-anchor file per destination. So a typical postfix tls policy table (when you need specific TLS policy rules) might have: foo.com secure tafile=/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem bar.com secure So foo.com is required to match a specific commercial CA and bar.com is allowed to match any CA in the system trust store. See http://www.postfix.org/postconf.5.html#smtp_tls_trust_anchor_file Thanks, -Matt _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
