On Sep 17, 2013, at 11:49 PM, Ryan Sleevi <[email protected]> wrote:
> On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >> >> On Sep 17, 2013, at 11:17 PM, joel jaeggli <[email protected]> >> wrote: >> >>> On 9/16/13 5:23 PM, Tom Ritter wrote: >>>> On 16 September 2013 17:10, Bruce Morton <[email protected]> >>>> wrote: >>>>> Sounds reasonable. One question is that since it is not widely used, >>>>> does it >>>>> meet the 0.1 percent of connections criteria? I don't know how we >>>>> measure >>>>> that. >>>> >>>> Chrome's between 16-46% of the market[0] and pins Google and >>>> Twitter[1]. Between Google and Twitter, I'd say it probably hits >>>> 0.1%... >>> >>> is this behavior consistent with what mozilla was doing/did? >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >>> >>> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >> >> Not quite. What Chrome currently has is a static list of pins (gets >> updated when Chrome gets updated). The Mozilla is implementing is a >> dynamic list of pins updated by visiting the site, as specified in >> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think >> either Google or Twitter emit the HPKP headers (yet). >> >> Yoav > > Note: Chrome has a static list of preloaded pins - but also supports > dynamic pins, as specified in the draft. Really? Cool! That calls for an RFC 6982 "implementation status" section. Yoav _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
