Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
toast0 4 days ago

Typical guidance is to pin the CA or intermediate, because in case of a key compromise, you're going to need to generate a new key.

You should really generate a new key for each certificate, in case the old key is compromised and you don't know about it.

What would really be nice, but is unlikely to happen would be if you could get a constrained CA certificate issued for your domain and pin that, then issue your own short term certificates from there. But if those are wide spread, they'd need to be short dated too, so you'd need to either pin the real CA or the public key and we're back to where we were.

nickf 4 days ago | parent [-]

I've said it up-thread, but never ever never never pin to anything public. Don't do it. It's bad. You, and even the CA have no control over the certificates and cannot rely on them remaining in any way constant. Don't do it. If you must pin, pin to private CAs you control. Otherwise, don't do it. Seriously. Don't.

toast0 3 days ago | parent | next [-]

There's not really a better option if you need your urls to work with public browsers and also an app you control. You can't use a private CA for those urls, because the public browsers won't accept it; you need to include a public CA in your app so you don't have to rely on the user's device having a reasonable trust store. Including all the CAs you're never going to use is silly, so picking a few makes sense.

richardwhiuk 3 days ago | parent [-]

You don't need both of those things. Give your app a different url.

ori_b 3 days ago | parent | prev | next [-]

Why should I trust a CA that has no control over the certificate chains?

nickf 3 days ago | parent [-]

Because they operate in a regulated, security industry where changes happen - sometimes beyond their control?

einsteinx2 3 days ago | parent | prev [-]

Repeating it doesn’t make it any more true. Cert providers publish their root certs, you pin those root certs, zero problems.

nickf 3 days ago | parent | next [-]

Then the CA goes away, like Entrust. Huge problems. I speak (sadly) from experience.

Plasmoid 3 days ago | parent | prev [-]

They rotate those often enough.