Different meanings of "Pinning"

Ryan Sleevi rsleevi at chromium.org
Fri Jan 4 11:17:55 PST 2013

Sorry to break threading, but I only just joined the list, and can't
find a good way to continue the existing thread.

While the current WebSec draft focuses on HTTP, I don't think it's
fair to say that the concept of restrictive-pins is an HTTP-only
approach. Certainly, alternative proposals such as TACK [1] explore
key continunity algorithms at the TLS layer, and there has been active
discussion at both IETF 84 and IETF 85 regarding restrictive-pins for
other TLS-using protocols, such as IMAP.

I think there is significant value in being able to share these pins
on a system-level basis. Even for something as restricted as HTTP, a
user may have multiple possible HTTP clients on their machine: a
libcurl using updater, wget straight from the shell, Firefox,
Chromium, etc. Being able to collaborate, between applications, on
those key lifecycles strikes me as particularly valuable, especially
when considering the 'wget' fire-and-forget nature.

[1] http://tools.ietf.org/html/draft-perrin-tls-tack-01

More information about the p11-glue mailing list