On 17/09/13 15:18, a...@google.com wrote:
> On Tuesday, September 17, 2013 4:58:28 AM UTC-4, Gervase Markham
> wrote:
>> Can we work out what those requirements are by studying the
>> pinning configuration for google.com and its subdomains in Chrome?
>
> There are two different things that I fear are getting conflated
> here:
>
> 1) HSTS (i.e. "HTTPS required") preloading. 2) Public key pinning.
Yes, my fault, sorry.
> Chromium also contains preloaded pinning for Google, Twitter, Tor and
> CryptoCat. This is also manually managed, but is not open to everyone
> as it takes much more time to handle these.
Have you reached out to other high profile sites which have been
attacked in the past for pinning info, and they have declined? Or are
you aiming to keep this list short for now?
> We also have a number of domains ("gmail.com", "googlemail.com" etc)
> which require SNI to serve the correct certificate
Change of topic: that's really interesting. You are using SNI in
production? What about IE on Windows XP and the other non-SNI-supporting
platforms?
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
