GTFO of there! Security researchers turn against HTTP public key pinning Security researchers have endorsed industry guru Scott Helme's vote of no confidence in a next-generation web crypto technology. Helme said he was "giving up on HPKP" after experimenting with the tech and ultimately finding it too cumbersome for mainstream use even among security-conscious organisations. HTTP Public Key …
It actually makes more sense to pin further up the chain. For example, if I pin to Thawte's intermediate, it's a clear, unequivocal message that I use Thawte (I don't, and other CAs are available) and a certificate issued by, say, Wosign (fat chance) is going to be malicious.
That way you can revoke, regenerate and reconfigure at whim as long as your trust chain remains unbroken.
Great idea, but it only makes sense if:
1) Your chosen CA will never issue a certificate in error (not pointing any fingers at wosign specifically) and
2) You stick with the same CA for long enough. I've changed CA pretty much every renewal as they all have introductory offers that make the certs a reasonable price, but at renewal time it's "standard pricing" which is ludicrously expensive (looking at godaddy in particular). Naturally LetsEncrypt is now viable so this may not be an issue in future, but how much faith do you put in such an organisation to stick around?
It's not that I'm paranoid, but I simply don't trust the tin-foil manufacturers to offer enough head protection.
If you run HTTPS then publish your cert in your DNSSEC authenticated DNS records.
It's not necessarily fully sideband communication, but it's pretty close to it.
If I can't find your cert in your DNS then I have to trust the CA, if I can find it then it could even be self signed (I do need to trust the holders of the root DNS keys, and the chain below that, but I think they have demonstrated themselves more trustworthy than most of the CA's baked into all our browsers).
To be fair - this could be combined with the above idea (Chronos) and put the CA cert in your DNS...
You need to keep some eye on when that changes, but you need to do that what/how-ever you are pinning.
You realize you're speaking of DANE. It doesn't exactly run with HTTPS; more specifically it works with the TLS protocol.
However there are some problems using this method on the client side of operations since most application APIs aren't coded to handle this method of adding security to TLS.
DANE it is then - I'm surprised it took 7 years to get from DNSSEC to DANE, it took me about 30 seconds to realise that it was a pretty damned good way to distribute public keys. (I stopped actively mentioning it and looking for it about 7-8 years ago (job change)).
DANE support being baked into browsers would make life much easier for many people. I could pin the top level let's encrypt CAs and forget about it for a long while.
We could also drop most of the root CAs from browsers (or at least devalue them to orange padlocks or something, until explicitly trusted (per site or globally?))
As mentioned below - the CAA record does some of the same, although the actual keys are still not explicitly presented.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
