Post-scriptum: > On 14 Apr 2016, at 19:19, Aaron Zauner <a...@azet.org> wrote: > [0] > http://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html > (current) > [1] https://www.internetsociety.org/sites/default/files/01_4_0.pdf (about a > year old)
These two studies outline something very well: while tech. invented and used at Google like HPKP works very well between their servers and client software they distribute, update and maintain themselves, it has been a failure for the broader internet community. I initially had big hopes for HPKP as it effectively by-passed the TLS working group to become a standard. TACK had been the (earlier, far better) alternative, but got stuck in TLS-WG due to a more general discussion on the CA eco-system, mostly ignoring the superior features, some of which the HPKP authors re-used as I'm sure you're all aware. The end result after standardisation and people trying to write proper deployment automation scripts is just bad. HSTS had it's difficulties but it's a far better protocol if you ask me. I also feel the feedback mechanism in HPKP is rather poorly designed. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
