Why is Validation.trust_cert_fingerprint deprecated?

mirleft / ocaml-x509

X509 (RFC5280) handling in OCaml

BSD 2-Clause "Simplified" License

52 stars 33 forks source link

Why is Validation.trust_cert_fingerprint deprecated? #125

Closed mben-romdhane closed 4 years ago

mben-romdhane commented 4 years ago

At the line below, it says that trust_cert_fingerprint is deprecated, and to use trust_key_fingerprint instead. https://github.com/mirleft/ocaml-x509/blob/a77022a12c2354de681818b66a0e4d1bcc7d68de/lib/x509.mli#L768 However, this is very useful to have, since many tools (e.g. openssl x509 -fingerprint) do a fingerprint of the certificate instead of the key. Forcing key fingerprints makes this feature inaccessible.

hannesm commented 4 years ago

the motivation for deprecation was this blog article https://www.imperialviolet.org/2011/05/04/pinning.html

the deprecation was introduced in https://github.com/mirleft/ocaml-x509/commit/2073b7cf39f7acbc11b02e9d02c9a3b73a33259a (x509 0.5.0, Oct 2015). I still use certificate pinning myself, and plan to remove the deprecation of that function, and support both public key and certificate pinning in the API.

hannesm commented 4 years ago

I removed the deprecated tag from the functions, this will be part of the next release.

mben-romdhane commented 4 years ago

Thank you!