On Sep 17, 2013, at 11:17 PM, joel jaeggli <[email protected]> wrote:
> On 9/16/13 5:23 PM, Tom Ritter wrote: >> On 16 September 2013 17:10, Bruce Morton <[email protected]> wrote: >>> Sounds reasonable. One question is that since it is not widely used, does it >>> meet the 0.1 percent of connections criteria? I don’t know how we measure >>> that. >> >> Chrome's between 16-46% of the market[0] and pins Google and >> Twitter[1]. Between Google and Twitter, I'd say it probably hits >> 0.1%... > > is this behavior consistent with what mozilla was doing/did? > > https://bugzilla.mozilla.org/show_bug.cgi?id=744204 > > https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Not quite. What Chrome currently has is a static list of pins (gets updated when Chrome gets updated). The Mozilla is implementing is a dynamic list of pins updated by visiting the site, as specified in http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think either Google or Twitter emit the HPKP headers (yet). Yoav _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
