Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

From:	Daniel Kahn Gillmor
Subject:	Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
Date:	Wed, 17 Jan 2018 23:49:13 -0500

On Sun 2018-01-14 18:23:59 +0000, Heiko Richter wrote:
> hardcoding a root certificate into a program has
> *never* been any kind of accepted security system.

pinning certificates (either end-entity or further up the chain) is
considered a good practice in a design where there is an expected
service that will be connected to, and that service has a known
certificate management lifecycle.

You see this regularly in mobile app development.  for example:

https://stackoverflow.com/questions/15728636/how-to-pin-the-public-key-of-a-certificate-on-ios

GnuPG is not a mobile app, but it does ship with some built-in knowledge
about the keyserver pool, and it uses that knowledge *specifically* for
the sake of secure connections to the pool.

This is commonly-accepted best practice because it reduces the exposure
to all the rest of the CA cartel mishegas.

Many thanks to Kristian for managing the pool for so long!

   --dkg

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], (continued)

Prev by Date: Re: [Sks-devel] Krisitian?
Next by Date: Re: [Sks-devel] disk space
Previous by thread: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?]
Next by thread: Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
Index(es):
- Date
- Thread