[SSL Observatory] wrt HSTS (was: SSL CA compromise in the wild)
Hodges, Jeff
jeff.hodges at paypal-inc.com
Wed Mar 23 11:24:16 PDT 2011
> From: Matt McCutchen [mailto:matt at mattmccutchen.net]
> Sent: Wednesday, March 23, 2011 11:09 AM
>
> On Wed, 2011-03-23 at 12:00 -0600, Hodges, Jeff wrote:
> > > HTTP Strict Transport Security does not pin the cert (it only
> > > prevents the user from accepting bad certs
> >
> > Yes, as presently specified and implemented in it's _draft_ form.
> >
> > This could change. Best place to discuss such would be on the websec list..
> >
> > https://www.ietf.org/mailman/listinfo/websec
>
> Understood. But I wouldn't propose to change that. HSTS is the wrong
> place to fundamentally change the TLS server authentication model.
I nominally disagree with the latter for various reasons, but we should discuss on websec@
And, to reiterate..
HSTS is arguably an intermediate-term (and is a specific-to-http) approach to
the more general issue of network application advertisement of security policy.
I.e. future work may supplant it.
=JeffH
More information about the Observatory
mailing list