> On 15 May 2016, at 8:10 PM, Yaron Sheffer <[email protected]> wrote: > > > > On 15/05/16 10:22, Yoav Nir wrote: >> That’s interesting. With HPKP you can pin keys from existing certificates, >> or keys that are not (yet) in certificates. >> >> One of the early deployment scenarios (which got de-emphasized later on) was >> that you include two pins: your current production key and a spare key that >> you will certify if something bad happens to the production key (like the >> private key leaking out). >> >> > Hi Yoav, > > I had assumed this *is* the main deployment scenario. If it was > de-emphasized, what do you consider as the "classic" HPKP usage scenario?
Current certificate plus some CA certificate that you are likely to use to certify your next certificate. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
