Update: Pinning Cheat Sheet

[MarkSRobinson]

What is missing or needs to be updated?

The current cheat sheet recommends certificate pinning. This is actually really bad from an operational sense because certificates have to be rotated out frequently. Currently all publicly signed leaf certificates have a maximum life of 397 days, and there is a proposal to drop this down to 90 days.

Most crypto systems change out the key on each renewal. Google is proposing to require all root certs to use new key data when refreshed. Keys also require replacement as recommend sizes gradually increases, and if there is a potential security breach all keys should be proactively rotated even if the key material has not been compromised.

Digicert recommends against certificate pinning.

Key pinning has generally caused problems than it solves as the inevitable key changes causes widespread breakages.

How should this be resolved?

Certificate pinning should be generally discouraged in the common case. If using the public root CAs does not provide enough security, people should use private CAs and have those root CAs distributed as needed.