[Fetchmail-users] 7.x: Public Key Pinning, Intermediate Key Trust, Certificate Transparency Observatories, Fingerprints, TLS

[grarpamp <gra...@gm...>]

Certificate fingerprint pinning is fairly common and
some here have posted new applicability schemes
for it in 7.x.

Some more features that may not have been mentioned yet...


Public Key Pinning
There should likely also be an option to pin down
and trust just the public key of the certs (or in combination
with other checks as warranted) since some entities
push the same key into subsequent CSR's when
refreshing their expiry, instead of say generating
a new key.
Thus pubkey pinning is nicely a bit less finegrained
than fingerprint pinning, working across renewals,
while still not having to trust CA's and the third party
cert stores.

See:
https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
wget [--ca-certificate= ...] --pinnedpubkey=<sha256// pubkey der>
wget [--ca-certificate= ...] --pinnedpubkey=<pubkeyfile pem|der>


Intermediate Key Trust
It should be possible to say, I trust
 (via PKP or fingerprint, or hashdir, or file)
- Letsencrypt, Google, Whoever's intermediate key[s]
that aren't in the global cert stores,
and may or may not be supplied by the server,
thus letting all server certs signed by such an intermediate
key be accepted, subject to passing any other checks
configured for that server stanza module, including possibly
ignoring the CA's and cert store checks.


TLS
Before release 7.x should rename all
references to "SSL / ssl" to the now explicitly
correct decade old "TLS", except where some
actual context of explicitly named SSL version
number grants use of "ssl" word.


Certificate Transparency Observatories
Don't know what the state of libraries for checking these is.
I think google has also created a CT project.


Surveying other command line utilities that interface
with TLS services as to these features might be useful
to guide and help 7.x continue being a fine TLS example :)