[SSL Observatory] wrt HSTS (was: SSL CA compromise in the wild)

[Hodges, Jeff]

> HTTP Strict Transport Security does not pin the cert (it only
> prevents the user from accepting bad certs

Yes, as presently specified and implemented in it's _draft_ form.

This could change. Best place to discuss such would be on the websec list..

  https://www.ietf.org/mailman/listinfo/websec


Also, HSTS is arguably an intermediate-term (and specific-to-http) approach to the more general issue of network application advertisement of security policy. I.e. future work may supplant it.

=JeffH