On Tue, Aug 26, 2014 at 2:06 PM, Tom Ritter <t...@ritter.vg> wrote: > The foot-gun potential is very high with HPKP, we all know that. It's > high enough to the point that many organizations, who have someone > maintaining a website part time (or outsource it) may forgoe PKP > entirely because it makes them nervous - but they would be happy to > deploy a no-risk PKP-RO. But the benefit of doing so if it is not > being cached is extraordinarily low, to the point it's probably not > worth doing.
3 full years ago, HPKP was conceived as a single new directive to piggyback on HSTS. Now it's a design-by-committee extravaganza with knobs and bells and whistles all over the place. It also has a jaunty cap. The cap is not a protective helmet, but hey — it *is* jaunty as all get-out. :) I just want to get something published, even if it's imperfect, so we can move on. This process is taking my time away from other important tasks, and I can't let that happen much longer. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec