Home > Software engineering >  Could certificate pinning work if one checks the intermediate certificate when the leaf certificate
Could certificate pinning work if one checks the intermediate certificate when the leaf certificate

Time:08-25

I have a scenario in mind where ; When the leaf certificate expires, the intermediate certificate is checked and if the intermediate is not expired, the application will keep running and will not be affected while the leaf is getting updated. Kinda like adding a condition to check the validity of the intermediate certificate in the step of checking the validity of the leaf certificate. Is something like this possible? If so, will there be any security problems with doing this?

CodePudding user response:

If so, will there be any security problems with doing this?

Most CAs won't entertain the notion of revoking an already expired certificate, because it's already the case that no one should be trusting it.

So your scheme, at minimum, reduces the ability to revoke certificates.

The notAfter date in a certificate isn't when the ops people/process should request a new certificate, it's when they need to have already completed the changeover. Making a complicated grace period will just change people who are already not doing it on time to not do it until beyond the grace period... they're clearly error-driven/alert-driven people.

Page link:https//www.codepudding.com/Softwareengineering/522765.html

Prev:What data type is ideal for a float value ranging from -1 to 1 in TensorFlow/Numpy?
Next:error by using in PDFTron:' NetworkError(`Unsupported protocol ${this._url.protocol}`'
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding