Bug 59754

Summary: support HPKP (Public-Key-Pins) Header
Product: Tomcat 9 Reporter: Ralf Hauser <hauser>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Severity: enhancement    
Priority: P2    
Version: unspecified   
Target Milestone: -----   
Hardware: PC   
OS: Linux   

Description Ralf Hauser 2016-06-25 09:10:10 UTC
see https://scotthelme.co.uk/hpkp-http-public-key-pinning/

maybe the HttpHeaderSecurityFilter of bug 58735 can be used for this

see also bug 58548
Comment 1 Christopher Schultz 2016-06-28 20:11:03 UTC
I remember hearing about this.

I have no objection to anyone else working on this, but it's a terrible design: it's trying to solve the problem of not using DNSSEC by essentially re-implementing DNSSEC with the notable problem of being trust-on-first-use (TOFU). So it's completely useless from a security perspective. You can still be owned: you just have to be owned early.
Comment 2 Mark Thomas 2016-06-29 17:25:55 UTC

*** This bug has been marked as a duplicate of bug 59179 ***