Another step towards crowdfunding

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Dec 18 03:26:00 CET 2013


On 12/17/2013 08:45 PM, Micah Lee wrote:
> As far as I know these preload lists only force HTTPS for these domains.
> I wonder if anyone could convince the browser vendors to also do
> certificate pinning, bypassing PKI based on CAs altogether?

I believe the answer for public-key-pinning is the same as for HSTS.

That is, if you've already implemented the possible footgun that is
public-key-pinning on your web site via the standard HTTP headers, and
you have demonstrated that it works for you, you can send patches to agl
against:

https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

(ironically, src.chromium.orgdoesn't appear to signal support for safe
TLS negotiation via RFC 5746, sigh)

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131217/6815227c/attachment.sig>


More information about the Gnupg-users mailing list