[Discuss] comcast wifi question

Edward Ned Harvey (blu) blu at nedharvey.com
Wed Nov 12 07:02:33 EST 2014


> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Bill Ricker
> 
> On Tue, Nov 11, 2014 at 6:50 PM, Richard Pieri <richard.pieri at gmail.com>
> wrote:
> > Nutshell version: pinning is what SSH has been doing with host keys since
> > the get-go.
> 
> Yes, that.
> 
> ( Can't imagine why this wasn't done day 1 for HTTPS also unless they
> thought the initial set of CAs would have indefinite oligopoly. )

Maybe I missed your point - Pinning is impractical for two reasons, which is really one reason:  There's the initial trust issue, and a re-assertion of the initial trust issue every time the server changes their key.  It is normal for a server to change their cert from time to time, and it is also normal for a client to browse to this site for the first time.

It is funny, that Google, Apple, Mozilla all have these crazy ridiculous list of CA's that they trust.  And ironic that Microsoft is the only one who's reasonable.



More information about the Discuss mailing list