[gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Feb 23 13:21:06 CET 2017


On Wed, Feb 22, 2017 at 11:51 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On Wed 2017-02-22 04:54:14 -0500, Nikos Mavrogiannopoulos wrote:
>> Well adding something is easy, but the output of certificate
>> information seems already quite bloated with Fingerprint
>> (sha1/sha256), Public Key ID (sha1/sha256) and random art. Any ideas
>> on what we could remove?
>
> I've always been dubious about the utility of random art.  it seems
> *more* difficult for humans to do an exact match on than fingerprints,
> and it takes up a lot of space.  I'm not sure what its advantages are,
> but if space is at a premium, it looks like the obvious choice to cut
> to me.

I kind of agree. Space is not really a premium but I'm of the opinion
that very long output qualifies more as noise rather than something
useful. I've added the ability for certtool to print the key pins in
both 3.5.x and master, and I have removed the random art printing in
master only.

regards,
Nikos



More information about the Gnutls-devel mailing list