Re: [websec] Certificate Pinning via HSTS (.txt version)

SM <> Tue, 13 September 2011 23:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1268121F85AE for <>; Tue, 13 Sep 2011 16:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.578
X-Spam-Status: No, score=-102.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z1INAn5WAh8w for <>; Tue, 13 Sep 2011 16:06:32 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id B429921F855F for <>; Tue, 13 Sep 2011 16:06:22 -0700 (PDT)
Received: from (IDENT:sm@localhost []) by (8.14.4/8.14.5) with ESMTP id p8DN86kj019404; Tue, 13 Sep 2011 16:08:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1315955294; bh=50jtqM/hrzCPs+OqW0g5EZvRE/37I355czhnIT92Doo=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=mZSrTNJe+HNzud4U2wtlP4ONCWUXrgiRZA3W4TpIp/RB8JQWX7s/aCozsJVyL6+YL 0AKQQOrx4odRC4TAe8aTGfkbBRYY/EoXlf+TswCOKo6pt+3ASywOjvIY/jHZ1cHafJ q7VWENMREdcZ8cGyyj/CvJNs5V6dvO/s+RJ2Vis4=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1315955294; bh=50jtqM/hrzCPs+OqW0g5EZvRE/37I355czhnIT92Doo=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=lRsfnXLJncEtWMmaYgGe7vNeKGD74H55M+A4PzJ1H6SBGXaTU42pOejyG82RVHwhb tF22KRXIoL5pW8adIjw/TkVldSbQu65GUpSKfEhdAdCkQYmtcAUU7at73FjniPeQDE /Mdh9uVvbTkGyr7kFCNpd9mbsZpmr1NDRGJcwIAQ=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Tue, 13 Sep 2011 16:06:53 -0700
To: Yoav Nir <>
From: SM <>
In-Reply-To: <>
References: <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: IETF WebSec WG <>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Sep 2011 23:06:38 -0000

Hi Yoav,
At 11:41 13-09-2011, Yoav Nir wrote:
>Six months ago we would not have thought that Comodo or DigiNotar 
>were easy to hack. In the latter case, the customers of DigiNotar 
>were left out in the cold. Without

   "The DigiNotar partnership has laid down its security policy in 
action protocols
    and technical protocols. For safety reasons, these documents are 
not publicly
    available, which means that they are unavailable for inspection."

   "A regular audit is performed by an independent external auditor to
    assess Comodo's compliance with the AICPA/CICA WebTrust program for
    Certification Authorities."

People get sloppy.  Businesses get complacent.  At the end of the 
day, it is a business decision.