Hal Murray via devel writes: >> That doesn't do pinning, it reduces the source of trust anchors to just a >> single one. > > Thanks. Would you please give me a lesson (or pointer to one) on this area.
https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning > Does pinning work with a typical cert-chain that I get from a server? If so, > where to I get the certificate that I'm looking for? Most certificate chains you will encounter for public systems have at least one intermediate. You probably should pin both the intermediate and the root certificate, but continue to validate both. If you put the trust anchor at the intermediate, any certificate validation stops there (and if the chain has alternates they won't be checked either of course). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
