Re: HTTPS everywhere!
Hi,
Russell Stuart:
> This looks like pinning under another name to me. And quoting you
> above, in this very same email, you say pinning is too hard because you
> have to "hard code all the single Debian host certs in all programs that
> use TLS/SSL (or at least with Debian services)". And yet now you say we
> have to do this anyway!
>
The difference is that while pinning a bunch of certificates is indeed a
lot of on-going work, pinning the CA cert used to sign these is not (set up
the CA and install it into our software once, sign server certificates with
that forevermore).
--
-- Matthias Urlichs
Reply to: