On 12/17/2013 08:45 PM, Micah Lee wrote: > As far as I know these preload lists only force HTTPS for these domains. > I wonder if anyone could convince the browser vendors to also do > certificate pinning, bypassing PKI based on CAs altogether?
I believe the answer for public-key-pinning is the same as for HSTS. That is, if you've already implemented the possible footgun that is public-key-pinning on your web site via the standard HTTP headers, and you have demonstrated that it works for you, you can send patches to agl against: https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json (ironically, src.chromium.orgdoesn't appear to signal support for safe TLS negotiation via RFC 5746, sigh) --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
