[Ach] HTTP key pinning (HTKP)

Aaron Zauner azet at azet.org
Wed Mar 19 23:44:11 CET 2014

Hi Hanno,

Hanno Böck wrote:
> Any idea why this is done on HTTP? I'd say wrong layer - you want
> the same functionality for TLS in general.
I'm not sure either, probably because Google cares a lot more about HTTP
than any other company out there. The draft was issued by Google
employees. I do agree that this is the wrong layer, although I do not
really care as long as pinning gets common knowledge and deployed more

> And: Isn't this basically the same idea as TACK?

Yes. TACK is even more sexy in terms of specification. The draft expired
last summer though, and I do not see much discussion on that topic at
over at the TLS-WG, it does get mentioned from time to time, so TACK is
certainly not forgotten.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/f39ecf82/attachment.sig>

More information about the Ach mailing list