Allow 'static' fingerprints in the notary database about convergence HOT 4 CLOSED

I'd suggest make this more a separate notary. I'm basically working on doing the same at the moment using SSL Observatories database as the certificates it's verifying against.

As for the actual timestamps, I think they might be used for caching purposes, but I'd have to go through the code to check.

from convergence.

The client doesn't currently do anything with timestamps, eventually I'd like to be able to use them to display visual certificate histories for sites, as well as warn when a certificate is fresh or has just changed.

@cless, I think @ewanm89 might be on the right track here. What might make sense is a notary backend that implements "certificate pinning," as Chrome does for Google properties in-browser. In this case, the pinning is usually done based on the actual public key in the cert, rather than the cert fingerprint itself.

from convergence.

Alright, I personally think it would be useful to have one implementation that has several backend modes so notary admins only have to keep track of one backend and its new features.
Another reason I think it's useful is because your notary will always need fallback methods. One operator couldn't pin every certificate in use today. New servers that aren't in the SSL observatory can't be verified that way either. Self signed certificates can't be verified by a CA notary.
Does the protocol have a reply that means the notary can't handle that particular request?

from convergence.

@cless Yes, a notary can respond with 303 to explicitly indicate that its vote should be withdrawn from the consensus, which is different from it voting negative in the consensus, being unreachable, or otherwise encountering an error.

from convergence.