| ▲ | westurner 5 hours ago | |
Do other softwares support specifying a CA bundle per domain or cert pinning? Should FIPS specify a more limited CA cert bundle and/or cert pinning that users manage? When the user approves a self-signed cert in the browser, isn't that cert pinning but without PKI risks and assurances? What about CRL and OCSP; over what channel do they retrieve the cert revocation list; and can CT Certificate Transparency on a blockchain to the browser do better at [pinned] cert revocation? | ||
| ▲ | westurner 5 hours ago | parent [-] | |
Also probably relevant to these objectives: "Chrome switching to NIST-approved ML-KEM quantum encryption" (2024) https://www.bleepingcomputer.com/news/security/chrome-switch... "A new path for Kyber on the web" (2024) https://security.googleblog.com/2024/09/a-new-path-for-kyber... Does Swift yet support ML-KEM too? | ||