[spam][crazy] Adding Cert Pinning to E-X
grarpamp
grarpamp at gmail.com
Sun Feb 20 01:20:48 PST 2022
> how pubkey pinning differs from that much
Try pinning google's, or any letsencrypt, end service full DER certs,
it's a maintenance headache because they're constantly changing.
Pinning google's intermediate certs (pubkey or full DER), or the LE
end service pubkeys, can reduce maintenance, with same security.
> isn't a certificate just wrapping for a pubkey?
A wrapping, over that and more meta fields.
P2P nets might not have use for much more
than what's in the TOFU paragraph.
Bitcoin's and other cryptos total lack of both wire privacy
and coin privacy, still through to this day, almost seems
nefariously intentional.
Refs...
openssl x509 -text
https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
https://www.netcraft.com/internet-data-mining/ssl-survey/
https://www.ssllabs.com/ssl-pulse/
https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-internet-standard/
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://tools.ietf.org/html/rfc8446
https://github.com/OWASP/www-community/blob/master/pages/controls/Certificate_and_Public_Key_Pinning.md
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Pinning_Cheat_Sheet.md
https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d
https://github.com/curl/curl/blob/deb9462ff2de8e955c67ed441f5f48619a31198d/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
https://github.com/curl/curl/blob/51fde337471c9125e7bf425e7ce0a0bf53691992/docs/TODO#L728
Recommendations for Secure Use of Transport Layer Security (TLS)
https://tools.ietf.org/html/rfc7525
Pervasive Monitoring Is an Attack
https://tools.ietf.org/html/rfc7258
Privacy Considerations for Internet Protocols
https://tools.ietf.org/html/rfc6973
Certificate Transparency
https://tools.ietf.org/html/rfc6962
Strong Security Requirements for Internet Engineering Task Force
Standard Protocols
https://tools.ietf.org/html/rfc3365
Guidelines for Writing RFC Text on Security Considerations
https://tools.ietf.org/html/rfc3552
IETF Policy on Wiretapping
https://tools.ietf.org/html/rfc2804
IAB and IESG Statement on Cryptographic Technology and the Internet
https://tools.ietf.org/html/rfc1984
Privacy Requirements for IETF Protocols
https://tools.ietf.org/html/draft-cooper-ietf-privacy-requirements-01
It is the consensus of the IETF that our protocols be designed to
avoid privacy violations to the extent possible.
Handling Pervasive Monitoring in the IETF (perpass) (WG)
https://www.ietf.org/proceedings/88/perpass.html
https://www.ietf.org/mailman/listinfo/perpass
Opportunistic Security: Some Protection Most of the Time
https://tools.ietf.org/html/rfc7435.html
More information about the cypherpunks
mailing list