1. Accidentally publish TLS key on website. 2. Revoke certificate. 3. Get new certificate =WITH SAME KEY=.https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/71AXGTgcX9c …
I like it even more now! Pinning a key without a timely revocation mechanism is broken, and promotes post-compromise key re-use.
-
-
Potential compromise is not the reason for pinning, but other CAs issuing is. Short pinning time = less frequent users not protected.
-
Turns out both happen, like that time Heartbleed compromised millions of keys. Long pinning time = downtime if you need to replace the key.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.