Certificate Pinning - Public Key only?

Question

I would like to pin the public key of an root CA (verisign - http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem) into my iOS app. Is is better to pin the public key or the subjectPublicKeyInfo? Could someone please explain me which method is better and why?

Answer 1

I would argue that it is better to pin the public key of the subject rather than the root's CA public key. Here is my understanding of the different trade-offs of pinning the CA's root pkey:

The good As long as you keep that same CA, you will be able to update your certificate over and over again and it will always work.

The bad I believe that you will be slightly more vulnerable to a MITM attack pinning the roots CA's pkey instead of the subjects public key, since you will take as valid any certificate signed by that CA, instead of just those that really match your subject.

What about pinning the public key of the subject then? Basically you should be slightly more safer than pinning the CA's public key, and you application should continue working even after the certificate expires and you renew it, as long as you maintain the same public key.

I just posted a question and solution on how to pin the public key, I hope it helps you: How to pin the Public key of a certificate on iOS

Answer 2

I would like to pin the public key of an root CA...

Just bike shedding, but its probably more secure to pin the certificate or public key of the server or service, and not the root or an intermediate certificate. Its especially true if you are using a public CA like DigiCert or Verisign (as opposed to a private, corporate CA).

In the case of a public CA, the CA could incorrectly issue a second certificate and clients will not be able to differentiate the "real" certificate (the one issued to you) and the "fake" certificate (the one issued incorrectly). This has happened in real life a number of times, so you should expect it to happen again.

Is is better to pin the public key or the subjectPublicKeyInfo? Could someone please explain me which method is better and why?

It is better to pin the public key (at least in the case of pinning a server certificate).

Some organizations, like Google, rotate their server certificates every 30 days or so. However, they re-certify the same public key. See, for example, Android 4.2 and Pinning. That means you will observe "key continuity" but not "certificate continuity".

Re-certifying the same public key is why CertPatrol fails so bad in some cases in the user experience. We really need a Public Key Patrol in cases like Google services.