LetsEncrypt Client Pinning

vcsjones · June 6, 2016, 1:54pm

I’m working on a Let’s Encrypt client, and have a question about pinning.

Would it be advisable to pin one of the certificates in the certificate chain for ACME itself, such as TrustID Server CA A52?

We’d like to pin a certificate for the Boulder server in our client, but if there is no reasonable assurance that the intermediate’s public key won’t change unannounced, we’ll have to skip the idea.

On a slightly related thought, it would be nice if LetsEncrypt advertised what public keys to pin, probably using the standard Public-Key-Pins HTTP header so that clients which want to pin against LetsEncrypt’s ACME CA, can.

jsha · June 7, 2016, 12:18am

I would strongly discourage you from pinning any certificates in your ACME client. As you’ve no doubt noticed, we don’t currently set an HPKP header, so we’re not committing to serve any particular certificate chain for the API.

Thanks,
Jacob

vcsjones · June 7, 2016, 1:56am

Jacob,

Thanks for clarifying. We won’t do pinning, hopefully one day it’s something that LE can do.

rugk · June 8, 2016, 5:31pm

Indeed, would be nice to have a HPKP header for the API. And LE clients should of course respect this header if possible.

system · July 8, 2016, 5:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.