How does public key pinning work and what problem does it solve?
-
2Well, I know what certificate pinning is, but that might differ from generic "public key" pinning. – LateralFractal Oct 14 '14 at 13:46
-
That's why I'm here to ask :) well I have a rough idea but maybe one can give a clarifying example – Mike Dooley Oct 14 '14 at 13:47
-
1possible duplicate of [What is certificate pinning?](http://security.stackexchange.com/questions/29988/what-is-certificate-pinning) – RoraΖ Oct 14 '14 at 13:50
-
to be honest I'm not sure. I did read the answer to that post but it didn't mention any concepts of public key pinning that I'm aware of right now. – Mike Dooley Oct 14 '14 at 13:53
-
1For SSL, pinning means your browser should not automatically accept a new website certificate for an existing site as there are enough flaws in the Root CA ecology, that the new valid cert could be a government sockpuppet or a successful server hack. – LateralFractal Oct 14 '14 at 13:54
1 Answers
It means that rather than trusting a central authority for validating the PKI, you are utilizing your own means to determine that a public key is valid. Pinning allows removal of the trust of a central authority and instead takes that responsibility on directly.
The "problem" that it is trying to solve is relying on third party trust, however it requires that proper steps be taken to ensure first party trust and to make sure that revocation is not impeded if the pinned certificate/public key's corresponding private key is lost.
Many techniques can be used for establishing the trust, but some common ones are distributing the pin with an application that requires communication or verifying via an offline side channel. Revocation checking could be done through operating a revocation list similar to how a CA would normally do so, though this takes some more setup to do properly.
There isn't a practical difference between certificate and public key pinning as a certificate is just a public key with details about the holder of the private key. Pinning just implies trust of that cert/key.
- 41,896
- 5
- 63
- 110
-
ok, thx for your input. Can you explain how the trust is actually achieved then? – Mike Dooley Oct 14 '14 at 14:01
-
There are way to many possible ways to enumerate here, but I added a couple to the post. – AJ Henderson Oct 14 '14 at 14:04