[cryptography] Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-01)

Jeffrey Walton noloader at gmail.com
Thu Nov 1 17:22:37 EDT 2012

Hi All,

I was reading through Public Key Pinning Extension for HTTP

Section 3.1. Backup Pins, specifies that a backup should be available
in case something goes awry with the current pinset. The backup pinset
is a hash of undisclosed certificates or keys. Appendix A. Fingerprint
Generation, then offers a program to hash a PEM encoded certificate.

My question: Google (and likely others) rotate their certificates
regularly, while the underlying public key is fixed (from observations
over the last 2 years or so). Does that mean those complying with the
specification will need to send an out of band update with the newest
hashed backup certificate (about every 30 or 60 days)? Would it be
better to retain a hash of the public key instead since the public key
rarely changes?


More information about the cryptography mailing list