[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!


Russell Stuart:
> This looks like pinning under another name to me.  And quoting you
> above, in this very same email, you say pinning is too hard because you
> have to "hard code all the single Debian host certs in all programs that
> use TLS/SSL (or at least with Debian services)".  And yet now you say we
> have to do this anyway!
The difference is that while pinning a bunch of certificates is indeed a
lot of on-going work, pinning the CA cert used to sign these is not (set up
the CA and install it into our software once, sign server certificates with
that forevermore).

-- Matthias Urlichs

Reply to: