Lock certificate for domain
Add feature which allow lock specific certificate (server or authority) per domain. This feature disallow domain controlled main-in-the middle when own CA is enforced by domain policy or installed with another application to the system.
Configuration should be list of domains (possibly with wildcards) like
when finger print belongs to CA, then any "correct" certificate signed by this CA should be accepted ie. another CA could not sign certificate for domain
if fingerprint belongs to server certificate, then any other certificate should not be accepted (same as invalid certificate)
List should be possible edit manually in settings.
Cert could be lock by button in information about connection security as same as unlock.
This list should be synced.
Usage of this feature will cause service brake out when locked certificate is replaced (eg. due to expire) and will require manually fix by user.
This feature will not have impact to users who are not use it.
I disagree with you it is equivalent.
- HPKP add new headers in HTTP protocol and make communication more complex
- HPKP is deprecated by google and CT Logs still kept third person in process
- Public CA affected only
Feature which I described is completely independent on the existing solution and require implementation in client only.
@patrik_halfar manual addition of entries was supported via
vivaldi://net-internals/until the option was removed by the according Chromium update.
HTTP headers are only the most common way of distribution.
The cert (or CA for that matter) is not in the loop for PKP. If the server does not have the matching private key for the requested domain (or the trust period expired), the client will throw an error.
If website operators are not up to the task to renew entries in time, there are deadlocks. This happening regularly unfortunately lead to Google pulling the plug (public reason) without (as you mentioned) an adequate replacement.
The difference in the suggested feature is to use a
cert hashwith expiration bound to cert lifetime instead of a
public key hashwith expiration supplied by the user (or server).
Subdomain inclusion is covered in PKP as well.
Thank you for your request. As this post has had less than 5 votes over 4 years it will now be archived.