> On Apr 4, 2018, at 10:07 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > > Given what we've learned about pinning (it is being removed from > browsers), this seems like a bad plan to me.
Question, are you thinking of HPKP or STS? HPKP pins rather volatile data, and is too fragile to be used (something I would have predicted without even running the experiment). STS and this proposal pin a capability: * STS: I can be relied on to support TLS * option (B): I can be relied on to support the TLS extension for the specified itme (or not when the TTL is 0). So I rather that the unsurprising failure of HPKP is the wrong lesson to apply. STS seems successful enough, indeed in the UTA working group Google, Microsoft, Yahoo et. al. are standardizing an STS for SMTP (as a work-around for lack of DNSSEC in their domains) and this pins an STS policy for timescales comparable to the proposal here. The UTA STS draft has just cleared WG last call, Should I expect that the folks in this WG opposing the pin for the DANE chain extension are strongly opposed to SMTP STS and will argue against it in IETF last call and if IESG members in IESG review? -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls