Please take a look at https://pinningtest.appspot.com in FF 32 or higher and use your best judgment of whether FxA users on Nightly would be able to file an appropriate bug if they see one of the 10-20 violations per day that we're getting now.
This bug is to improve the UI to be more informative: https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 And this bug is to report the entire certificate chain, including the complete domain, back to us for remediation: https://bugzilla.mozilla.org/show_bug.cgi?id=846489 I don't think it makes sense to block a decision on either one of these, because they don't have firm end dates. From the violation rate, I doubt that the pinset is incorrect, most violations are probably from captive portal. However, this assumption is incorrect if people are hitting a rarely used subdomain on accounts.firefox.com that is using an unknown cert issuer. If this is not the case and the pinset is correct, we could go ahead and start enforcing pin violations and count on bugzilla reports to find errors. It's also reasonable to wait a week and see if the numbers improve (telemetry data lags 4-5 days, dates are by build date, not submission date). Thanks, Monica ----- Original Message ----- > http://people.mozilla.org/~mchew/pinning_dashboard/ > > The violation rate is a little higher than mmc would expect to see. (We're > still in reporting only mode, though.) > > We're seeing 10-20 (would be) violations per day. The rate is higher than > other Moz services, but the sample size is also much smaller. > > Any thoughts? > > -chris > _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
