Revocation in this case of pinned key means setting the max-age to 0 of the previous key and pinning a new key. This must be done before attacker is able to MITM.
Proposed ideas must be compared to current situation, not a utopia. DANE is not the best solution. Trusting governments is a failure right there. But it is an improvment to the current mess.
this sounds identical to google CRLSet. Basically a list of pinned certs inside source code. > In the future, we would like to support dynamic pinsets rather than relying on built-in ones. HTTP Public Key Pinning (HPKP)…
TACK is a TLS extension. It must be added to TLS 1.3 RFC.
Revocation in this case of pinned key means setting the max-age to 0 of the previous key and pinning a new key. This must be done before attacker is able to MITM.
Proposed ideas must be compared to current situation, not a utopia. DANE is not the best solution. Trusting governments is a failure right there. But it is an improvment to the current mess.
this sounds identical to google CRLSet. Basically a list of pinned certs inside source code. > In the future, we would like to support dynamic pinsets rather than relying on built-in ones. HTTP Public Key Pinning (HPKP)…
TACK is a TLS extension. It must be added to TLS 1.3 RFC.