[SSL Observatory] wrt HSTS (was: SSL CA compromise in the wild)
Hodges, Jeff
jeff.hodges at paypal-inc.com
Wed Mar 23 11:00:42 PDT 2011
> HTTP Strict Transport Security does not pin the cert (it only
> prevents the user from accepting bad certs
Yes, as presently specified and implemented in it's _draft_ form.
This could change. Best place to discuss such would be on the websec list..
https://www.ietf.org/mailman/listinfo/websec
Also, HSTS is arguably an intermediate-term (and specific-to-http) approach to the more general issue of network application advertisement of security policy. I.e. future work may supplant it.
=JeffH
More information about the Observatory
mailing list