Re: Network security manager

[Lars Magne Ingebrigtsen]

Ted Zlatanov <address@hidden> writes:

> I am not a cryptographer so I hope some of those step in and suggest
> what's best. To me from what I know and based on the cited references,
> it seems it could be a choice but pinning the public key is better for
> most people. They won't have to accept again every time the certificate
> is reissued.

Hm...  might one not want to track the certificate, though?  If it's
changed, then there might be shenanigans.

But if the attacker can generate traffic with the trusted public key,
the site would have larger problems than with the certificate, so
perhaps it doesn't add anything much security-wise...

> Also, we're hashing the SubjectPublicKeyInfo not the public key bit
> string. The SPKI includes the type of the public key and some parameters
> along with the public key itself.

Does gnutls have a function to fingerprint that info?  Or access it in
raw form?  I guess we could just sha1 it ourselves.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no