Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It has implications for certificate pinning (like that used in Chrome) if you can only pin to CAs that operate in a single regulatory domain.


Indeed, I hadn't considered that.

Though, if you are pinning in an app and not just in-browser, you can bundle your internal CA cert in the binary and sidestep the whole mess.

This is what I advise my customers that have security-sensitive stuff do. The PKI can no longer be trusted.


"No longer"? It could never be trusted, and many of us said so when it was first introduced. It's just taken a while for everyone else to realise that we were right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: