Public Keys

<title>Public Keys</title>
Let me describe what I want.
There are just a very few institutions with which I want to communicate with fairly high confidentiality assurance.
I would like to manually enter into my browser, their public key fingerprint bound to their domain name, perhaps with a wildcard notation for sub-names.

This should affect the browser’s behavior as follows:
For every access to that domain name, access via https and provide a conspicuous warning of any proffered public key whose fingerprint differs from what I provided.
<p>
This notion seems to capture the original simple notion of RSA public key. 
PKI does not.
Self signed certificates are perfectly fine!
Certificates signed by even a well known CA with a different fingerprint provoke the warning.
With this browser facility I can talk to my bank securely whether or not they buy into HSTS.
I have only a bootstrap problem of learning the fingerprint.
In this plan my banking confidentiality no longer relies on the worst of the worlds CA’s.
<p>Some might like to be able to specify the fingerprint of a CA’s public key and allow public keys in certs signed by that public key.
This would save work and rely on the integrity of just one CA.
<hr>
With the current Chrome Canary implementation of HSTS specs I often find a site with which I cannot connect because I have chosen not to trust the CA that they have chosen to sign their certs.
If I were to mark that CA as trusted then my bank communication would be vulnerable to that unknown CA.
Trust it? .... I have never heard of it!
A current workaround is to use a different browser that does not do HSTS or does it differently.
A different workaround is to use Firefox for non critical sites and tell Firefox to trust all CA's.
<hr><a href=https://noisebridge.net/>Here is Noisebridge</a>
The SHA fingerprint of their public key is:
<br>75 49 84 7A 02 89 3A 26 13 BD 20 45 1A 99 4E 81 EF 9B DC 35
<br>In <a href=>base64</a> it is:
<br>dUmEegKJOiYTvSBFGplOge+b3DU=
<p>I enter the pair:
<br>“noisebridge.com”, “sha1/dUmEegKJOiYTvSBFGplOge+b3DU=”
<br>into the HSTS collection.
To do this I enter “chrome://net-internals/#hsts” into Chrome’s address bar and hit return.
<p>Using Safari I mark Noisebridge’s certificate as trusted in the Mac’s shared data base of trusted certs.
Access behavior is unchanged.
I delete the pair in Chrome and enter it again but with a one bit error in the fingerprint.
Chrome lets me in with no warning.
Had I done this with my bank instead of Noisebridge and a MITM in cahoots with a corrupted CA has presented a signed but different certificate with a different public key, I must assume that I would have been compromised!
<hr>Chrome (canary) 39.0.2141.0 and 39.0.2161.3 both fail this way.
<p>My current workaround is to learn the 6 clicks to display the bank’s public key fingerprint just before entering my password.
I recognize some of the bits therein.
Here are the clicks for Chrome:<ol>
<li>lock icon at left end of address bar
<li>“connection” tab in new window. (Sometimes unnecessary but doesn’t hurt)
<li>“certification information” ‘link’
<li>You might here want to select a different level in the certificate chain which is shown.
<li>Click arrow to left of “details”
<li>Scroll down to bottom and see “Fingerprints”</ol>
<hr><a href=old.html>Here</a> is an older less complete analysis.
<br><a href=trove>Munging Canary Cookies on the Mac</a>
<br><a href=../fpidn.html>A fairly general solution</a>