[SSL Observatory] wrt HSTS (was: SSL CA compromise in the wild)

Matt McCutchen matt at mattmccutchen.net
Wed Mar 23 11:08:48 PDT 2011


On Wed, 2011-03-23 at 12:00 -0600, Hodges, Jeff wrote:
> > HTTP Strict Transport Security does not pin the cert (it only
> > prevents the user from accepting bad certs
> 
> Yes, as presently specified and implemented in it's _draft_ form.
> 
> This could change. Best place to discuss such would be on the websec list..
> 
>   https://www.ietf.org/mailman/listinfo/websec

Understood.  But I wouldn't propose to change that.  HSTS is the wrong
place to fundamentally change the TLS server authentication model.

-- 
Matt




More information about the Observatory mailing list