Re: [Tails-dev] Testing the ISO Verification Extension

Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Testing the ISO Verification Extension
Giorgio Maone:
> On 17/11/2015 17:11, sajolida wrote:
>> Giorgio Maone:
>> Now you've got the flexibility of choosing to pin the domain cert, the
>> issuer's (CA's) cert or both.
>> I've seen that in conf.json. Regarding the different kinds of pinning,
>> how do you switch from trusting the cert to trusting the issuer or both?
>> By adding and removing the corresponding information in the
>> configuration file? Is it that any pinning available in the
>> configuration file is trusted?
>>
> In the "pins" section, you can add as many "certs" and "issuers" entries
> as you want, listing identifiers for domain certificates and their
> issuers, respectively.
> Whether they're actually used to verify a certain domain or not is
> determined by the content of "pins" > "domains", though.
> This section currently looks like this:
>
> "domains": {
>       "tails.boum.org": {
>         "cert": null,
>         "issuer": "Gandi"
>       },
>       "maone.net": {
>         "cert": "maone.net",
>         "issuer": "COMODO"
>       }
>     }

>
> For any entry in "domains", you can specify a reference to a "certs"
> entry ("cert"), to an "issuers" entry ("issuer") or both.
> In the example above, "tails.boum.org" is pinned on its issuer ("Gandi")
> only (because "cert" is null, rather than "*.boum.org"), while the
> "maone.net" domain is pinned both on the certificated referenced by the
> "maone.net" key and to the "COMODO" issuer.
>
> If I've not been clear enough, feel free to ask.


Cristal clear, thanks. I'm quite tired these days due to tons of work. I
didn't pay enough attention to the differences between tails.boum.org
and maone.net (like "cert": null).