[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Vulerable Pre-saved Secondary Key for HPKP

Vulerable Pre-saved Secondary Key for HPKP

Posted Nov 24, 2015 13:39 UTC (Tue) by robbe (guest, #16131)
In reply to: Vulerable Pre-saved Secondary Key for HPKP by biergaizi
Parent article: Changes in the TLS certificate ecosystem, part 2

I think a good workflow is to generate keys on a „trusted“ machine, and only upload the *current* key to your internet-facing server.

The "next" key (second hash in the pin) only touches this server when it's time to rotate keys.

Alternatively, if you find that you trust your current CA's security more than the security of your machines, put the CA's key in the pin. This way, no other CA will be able to issue a certificate for your server. At least not to MITM your regular visitors.

to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds