[SSL Observatory] wrt HSTS (was: SSL CA compromise in the wild)
Matt McCutchen
matt at mattmccutchen.net
Wed Mar 23 11:08:48 PDT 2011
On Wed, 2011-03-23 at 12:00 -0600, Hodges, Jeff wrote:
> > HTTP Strict Transport Security does not pin the cert (it only
> > prevents the user from accepting bad certs
>
> Yes, as presently specified and implemented in it's _draft_ form.
>
> This could change. Best place to discuss such would be on the websec list..
>
> https://www.ietf.org/mailman/listinfo/websec
Understood. But I wouldn't propose to change that. HSTS is the wrong
place to fundamentally change the TLS server authentication model.
--
Matt
More information about the Observatory
mailing list