[websec] Sites with Key Pinning Headers (not preloaded pins)

"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Thu, 08 January 2015 11:22 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1C0471A1A8C for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 03:22:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.899
X-Spam-Level: **
X-Spam-Status: No, score=2.899 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id QH9epA25a-Xf for <websec@ietfa.amsl.com>; Thu, 8 Jan 2015 03:21:59 -0800 (PST)
Received: from scintmta01-14.scbb.aoyama.ac.jp (scintmta.scbb.aoyama.ac.jp []) by ietfa.amsl.com (Postfix) with ESMTP id 3CCCC1A1BC3 for <websec@ietf.org>; Thu, 8 Jan 2015 03:21:58 -0800 (PST)
Received: from scmeg01-14.scbb.aoyama.ac.jp (scmse.scbb.aoyama.ac.jp []) by scintmta01-14.scbb.aoyama.ac.jp (Postfix) with ESMTP id 95F7932E534; Thu, 8 Jan 2015 20:21:10 +0900 (JST)
Received: from itmail2.it.aoyama.ac.jp (unknown []) by scmeg01-14.scbb.aoyama.ac.jp with smtp id 4836_9a25_e5dc19aa_370f_4ae5_91a4_b31b6013296c; Thu, 08 Jan 2015 20:21:09 +0900
Received: from [] (unknown []) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id A2CE0BF540; Thu, 8 Jan 2015 20:21:09 +0900 (JST)
Message-ID: <54AE6825.7010203@it.aoyama.ac.jp>
Date: Thu, 08 Jan 2015 20:21:09 +0900
From: =?UTF-8?B?Ik1hcnRpbiBKLiBEw7xyc3Qi?= <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Chris Evans <cevans@google.com>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>
References: <CAH8yC8=XEr9q8VHarucKa0rVqSPt3=oDzDRWXA3_u4rkhpZmoQ@mail.gmail.com> <8E436DD1-8EFB-4270-81CA-717B0FDD9A4F@gmail.com>
In-Reply-To: <8E436DD1-8EFB-4270-81CA-717B0FDD9A4F@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/60o9v3dU0N1EGeBDn_QeoKStdxg>
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] Sites with Key Pinning Headers (not preloaded pins)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 11:22:01 -0000

Hello Chris, Chris, Ryan, and everybody,

A student of mine is working on a small client-side implementation of 
key pinning. For testing, we would like to know sites that already send 
the respective headers (Public-Key-Pins and/or 
Public-Key-Pins-Report-Only). Any replies on the list or in private 

Regards,   Martin.