In any case, I think this is not a common practice in all the browsers, as you say only chrome and mozilla supports it and it´s a practice of these browsers that I don´t know how to fit in a trust model which is based on browser procedures to admit CAs in their trust stores and this is to check and avoid vulnerabilities like those appeared in the Diginotar case.
Iñigo Barreira Responsable del Área técnica [email protected] 945067705 ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ! ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente. -----Mensaje original----- De: [email protected] [mailto:[email protected]] En nombre de joel jaeggli Enviado el: martes, 17 de septiembre de 2013 22:57 Para: Yoav Nir; <[email protected]> CC: Tom Ritter; [email protected]; Bruce Morton; Tim Moses Asunto: Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion On 9/17/13 1:54 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:49 PM, Ryan Sleevi <[email protected]> wrote: > >> On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >>> >>> On Sep 17, 2013, at 11:17 PM, joel jaeggli <[email protected]> >>> wrote: >>> >>>> On 9/16/13 5:23 PM, Tom Ritter wrote: >>>>> On 16 September 2013 17:10, Bruce Morton >>>>> <[email protected]> >>>>> wrote: >>>>>> Sounds reasonable. One question is that since it is not widely >>>>>> used, does it meet the 0.1 percent of connections criteria? I >>>>>> don't know how we measure that. >>>>> >>>>> Chrome's between 16-46% of the market[0] and pins Google and >>>>> Twitter[1]. Between Google and Twitter, I'd say it probably hits >>>>> 0.1%... >>>> >>>> is this behavior consistent with what mozilla was doing/did? >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >>>> >>>> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >>> >>> Not quite. What Chrome currently has is a static list of pins (gets >>> updated when Chrome gets updated). The Mozilla is implementing is a >>> dynamic list of pins updated by visiting the site, as specified in >>> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't >>> think either Google or Twitter emit the HPKP headers (yet). >>> >>> Yoav >> >> Note: Chrome has a static list of preloaded pins - but also supports >> dynamic pins, as specified in the draft. > > Really? Cool! That calls for an RFC 6982 "implementation status" section. indeed, if it does. > Yoav > > _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
