Hi all,
It's good to see the progress in draft-ietf-websec-key-pinning-01. I'm still
concerned about the impact of pinning on non-pinned domains, and don't see
anything present to warn about or mitigate this. Apologies if I've missed
discussion of this on-list/in the archives.
My concern center
On 13 Sep 2011, at 23:30, Marsh Ray wrote:
>
> Wouldn't they have to acquire a valid cert first? Not saying that's out of
> the realm of possibility, but...
Yeah, but in the case that you've gained control of a domains DNS, which is
what happened, how hard would it be to get a valid DV cert?__
On 13 Sep 2011, at 21:35, Chris Palmer wrote:
>
> sites; small sites may have to choose no pinning or potentially
> bricking their site (up to the maxAge window). This is not worse than
> the status quo."""
What about sites which don't currently use https at all? The DNS records for
theregister
