Natim
commented
8 years ago r? @almet
Closed Natim closed 8 years ago
Natim
commented
8 years ago r? @almet
almet
commented
8 years ago Hmm, this is a bundle argument. I would expect this to be using the cert argument of the requests client rather than the verify one.
mozfreddyb
commented
8 years ago :+1: Great idea!
Do you have a bug for Firefox/Gecko to pre-load this pin?
mozfreddyb
commented
8 years ago Oh... my suggestion doesn't make a lot of sense for the syncto<->sync parts, but rather for the syncto.js<->syncto parts. Should I file another issue? ;)
almet
commented
8 years ago Yes, we should pin this cert on the client side;
I think @michielbdejong would have some thoughts on this, since he's working on the client side
Natim
commented
8 years ago @almet The cert argument is for X509 SSL authentication with the client certificate, here we just want to verify that the server certificate is one of the pinned as trusted ones in the bundle.
almet
commented
8 years ago After discussing, it seems that the cert argument is used for client side certs, and not server side cert. What they call "client side cert" is a way to authenticate the user with a certificate, so not related to what we want here.
Herr Pluss.
In order to make sure we are talking to the right Firefox Sync infrastructure, we need to let people eventually pin the certificate they are waiting for when talking to the Firefox Sync services (token server and sync nodes)
To ease the maintenance of such a thing, we will pin the DigiCert Root certificate in production.
This certificate can be found here: https://global-root.digicert.com/info/index.html