On 06.10.2012 23:41 , "Charles Mills" <charl...@mcn.org> wrote:
>Thanks. I'm a relative newbie to this whole topic. Can you point me to a >resource that describes "pin" in the sense you use it below? The word is >too common for the Google to be much help. try searching for "certificate pinning". If you are familiar with ssh, it is the same concept of the StrictHostKeyChecking option (although obviously SSH and TLS are completely distinct protocols and by default SSH doesn't use X.509 certs). The idea is: with a standard TLS connection, acting as TLS client, you connect to an host for the first time and you receive its certificate. The standard TLS verifications are successful (meaning: the certificate really belongs to the host and it has been issued by a CA you trust). When the connection is closed, a normal TLS client will forget the certificate. On the other hand, certificate pinning remembers the certificate. Pinning means storing locally such certificate and associate it to the hostname you connected to. If the next time you connect the certificate has changed, a system supporting certificate pinning will warn you. The certificate can change for many reasons, some legitimate (e.g. it has expired), some others _might_ be symptom of an attack (e.g. the issuing CA has changed). The assumption behind is that the first time you connect, there is no attack underway, and you store the legitimate certificate. Again with the ssh parallel, ssh stops and shows you the fingerprint of the public key. You are supposed to verify, out-of-band, the fingerprint and then authorize to pin the public key. The criteria to do the verification are up to you. You still have the problem of deciding how to handle the case of certificate changed, but at least you know it is happening. As a parallel: we first meet and as a proof of identity I show you my Italian passport. If the next time we meet you remember me, but this time I show you a French passport, you begin to wonder. Did I change nationality (possible) or is something fishy going on? marco
