On 2016-11-29T21:42, sivmu <[email protected]> wrote: > > > Am 29.11.2016 um 11:46 schrieb Alice Wonder: > With HPKP there is no such attack surface.
Whereas HPKP has the nice new attack surface of "now I've -unbeknownst to you- got access and secretly fed your users my key. Now I've deleted it form the box. Pay me or kill your domain". Both approaches are deeply flawed and at best worthy to be used in some kind of trustworthiness scoring system. Like "oh, DANE, HPKP and a regular CA signature, you'll get the green bar". But I guess that might never happen for other reasons. Ciao, Alexander Wuerstlein. _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
