Let me describe what I want. There are just a very few institutions with which I want to communicate with fairly high confidentiality assurance. I would like to manually enter into my browser, their public key fingerprint bound to their domain name, perhaps with a wildcard notation for sub-names. This should affect the browser’s behavior as follows: For every access to that domain name, access via https and provide a conspicuous warning of any proffered public key whose fingerprint differs from what I provided.
This notion seems to capture the original simple notion of RSA public key. PKI does not. Self signed certificates are perfectly fine! Certificates signed by even a well known CA with a different fingerprint provoke the warning. With this browser facility I can talk to my bank securely whether or not they buy into HSTS. I have only a bootstrap problem of learning the fingerprint. In this plan my banking confidentiality no longer relies on the worst of the worlds CA’s.
Some might like to be able to specify the fingerprint of a CA’s public key and allow public keys in certs signed by that public key. This would save work and rely on the integrity of just one CA.
I enter the pair:
into the HSTS collection. To do this I enter “chrome://net-internals/#hsts” into Chrome’s address bar and hit return.
Using Safari I mark Noisebridge’s certificate as trusted in the Mac’s shared data base of trusted certs. Access behavior is unchanged. I delete the pair in Chrome and enter it again but with a one bit error in the fingerprint. Chrome lets me in with no warning. Had I done this with my bank instead of Noisebridge and a MITM in cahoots with a corrupted CA has presented a signed but different certificate with a different public key, I must assume that I would have been compromised!
My current workaround is to learn the 6 clicks to display the bank’s public key fingerprint just before entering my password. I recognize some of the bits therein. Here are the clicks for Chrome: