TLS: certificate pinning
Currently, TLS certificates are verified via domain name and X.509 Certificate Authorities. I'd like to bypass both via certificate pinning.
I propose a setting ssl_fingerprint
(ideally: tls_fingerprint
#29), taking the SHA-256 or SHA-512 of a certificate (#32 (closed)).
This way, I can manually enter one specific fingerprint, not having to trust the CA-cartel.
This also helps with #31 (closed).
msmtp/mpop already does this: http://msmtp.sourceforge.net/doc/msmtp.html#tls_005ffingerprint
For more information see http://tack.io/ and https://tools.ietf.org/html/draft-perrin-tls-tack-02