Hi Gerv, > On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Is "1 year" not a relatively common (for some value of "common") setting > for HPKP timeouts for sites which think they have now mastered HPKP?
We did a large-scale scan of about 200M domains for HPKP in April 2017. We found a max-age median duration of 1 month and about 10% of domains that set max-age values to 1 year or more. I am attaching the plot. HPKP it missing, as it is very similar to HPKP|HSTS. The associated paper will be camera-ready tomorrow, happy to share it then. > > Does anyone have stats on HPKP prevalence and duration distribution? > Ideally combined with whether the longer time periods are pinning to > roots, intermediates or EE certs? We did not look into that, but it should be doable from the data. Kind regards Quirin
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy