On Wed, April 8, 2015 4:40 pm, Phillip Hallam-Baker wrote: > Who said anything about DNSSEC being required?
If it isn't, then it's not equivalent. HSTS requires an error free connection - in part to ensure the policy is securely delivered. HPKP requires an error free connection that is consistent with the policy expressed - in part to ensure the policy is securely delivered and correctly formed. If you don't require secure delivery of that, then you're not developing a secure solution. If you're doing it for out of band discovery, then it would help to say that. But I very much doubt you are. > Having more than one solution for a problem is usually a good reason > to pick one. http://xkcd.com/927/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
