On Fri, Jan 20, 2012 at 8:14 AM, Phillip Hallam-Baker <[email protected]> wrote:
>> Without pinning, fraudulent certificates are invisible, especially when >> applied to specific individuals. The fraudulent diginotar cerrtificates in >> Iran would have gone unnoticed had it not been for the pinning of Google >> certificates. > > The Google certs were not pinned. Pinning is a very specific mechanism. We consider them to have been pinned. The dynamic pinning proposal in the WebSec WG is a generalization of what we call "preloaded" (or "static") pins. Word-noodling aside, the attack might very well have remained invisible without Chrome's knowledge of and insistence on Gmail's true SPKIs. -- They who can give up general-purpose computing to obtain a little temporary safety, deserve neither general-purpose computing nor safety. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
