On 9/17/13 1:31 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:17 PM, joel jaeggli <joe...@bogus.com> wrote: > >> On 9/16/13 5:23 PM, Tom Ritter wrote: >>> On 16 September 2013 17:10, Bruce Morton >>> <bruce.mor...@entrust.com> wrote: >>>> Sounds reasonable. One question is that since it is not widely >>>> used, does it meet the 0.1 percent of connections criteria? I >>>> don’t know how we measure that. >>> >>> Chrome's between 16-46% of the market[0] and pins Google and >>> Twitter[1]. Between Google and Twitter, I'd say it probably >>> hits 0.1%... >> >> is this behavior consistent with what mozilla was doing/did? >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >> >> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality > >> > Not quite. What Chrome currently has is a static list of pins (gets > updated when Chrome gets updated). The Mozilla is implementing is a > dynamic list of pins updated by visiting the site, as specified in > http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't > think either Google or Twitter emit the HPKP headers (yet).
It sounds somewhat nascent. the existing practice seems to have practical limits to it's scaling/applicability, the new one isn't quite there yet. > Yoav > > _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops