On 9/17/13 1:54 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:49 PM, Ryan Sleevi <[email protected]> wrote: > >> On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >>> >>> On Sep 17, 2013, at 11:17 PM, joel jaeggli <[email protected]> >>> wrote: >>> >>>> On 9/16/13 5:23 PM, Tom Ritter wrote: >>>>> On 16 September 2013 17:10, Bruce Morton <[email protected]> >>>>> wrote: >>>>>> Sounds reasonable. One question is that since it is not widely used, >>>>>> does it >>>>>> meet the 0.1 percent of connections criteria? I don't know how we >>>>>> measure >>>>>> that. >>>>> >>>>> Chrome's between 16-46% of the market[0] and pins Google and >>>>> Twitter[1]. Between Google and Twitter, I'd say it probably hits >>>>> 0.1%... >>>> >>>> is this behavior consistent with what mozilla was doing/did? >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >>>> >>>> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >>> >>> Not quite. What Chrome currently has is a static list of pins (gets >>> updated when Chrome gets updated). The Mozilla is implementing is a >>> dynamic list of pins updated by visiting the site, as specified in >>> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think >>> either Google or Twitter emit the HPKP headers (yet). >>> >>> Yoav >> >> Note: Chrome has a static list of preloaded pins - but also supports >> dynamic pins, as specified in the draft. > > Really? Cool! That calls for an RFC 6982 "implementation status" section.
indeed, if it does. > Yoav > > _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
