On 17/09/13 15:18, a...@google.com wrote: > On Tuesday, September 17, 2013 4:58:28 AM UTC-4, Gervase Markham > wrote: >> Can we work out what those requirements are by studying the >> pinning configuration for google.com and its subdomains in Chrome? > > There are two different things that I fear are getting conflated > here: > > 1) HSTS (i.e. "HTTPS required") preloading. 2) Public key pinning.
Yes, my fault, sorry. > Chromium also contains preloaded pinning for Google, Twitter, Tor and > CryptoCat. This is also manually managed, but is not open to everyone > as it takes much more time to handle these. Have you reached out to other high profile sites which have been attacked in the past for pinning info, and they have declined? Or are you aiming to keep this list short for now? > We also have a number of domains ("gmail.com", "googlemail.com" etc) > which require SNI to serve the correct certificate Change of topic: that's really interesting. You are using SNI in production? What about IE on Windows XP and the other non-SNI-supporting platforms? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security