On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: > > On Sep 17, 2013, at 11:17 PM, joel jaeggli <joe...@bogus.com> > wrote: > > > On 9/16/13 5:23 PM, Tom Ritter wrote: > >> On 16 September 2013 17:10, Bruce Morton <bruce.mor...@entrust.com> > >> wrote: > >>> Sounds reasonable. One question is that since it is not widely used, > >>> does it > >>> meet the 0.1 percent of connections criteria? I dont know how we > >>> measure > >>> that. > >> > >> Chrome's between 16-46% of the market[0] and pins Google and > >> Twitter[1]. Between Google and Twitter, I'd say it probably hits > >> 0.1%... > > > > is this behavior consistent with what mozilla was doing/did? > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=744204 > > > > https://wiki.mozilla.org/Security/Features/CA_pinning_functionality > > Not quite. What Chrome currently has is a static list of pins (gets > updated when Chrome gets updated). The Mozilla is implementing is a > dynamic list of pins updated by visiting the site, as specified in > http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think > either Google or Twitter emit the HPKP headers (yet). > > Yoav
Note: Chrome has a static list of preloaded pins - but also supports dynamic pins, as specified in the draft. _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops