|Summary:||support HPKP (Public-Key-Pins) Header|
|Product:||Tomcat 9||Reporter:||Ralf Hauser <hauser>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
Description Ralf Hauser 2016-06-25 09:10:10 UTC
see https://scotthelme.co.uk/hpkp-http-public-key-pinning/ maybe the HttpHeaderSecurityFilter of bug 58735 can be used for this see also bug 58548
Comment 1 Christopher Schultz 2016-06-28 20:11:03 UTC
I remember hearing about this. I have no objection to anyone else working on this, but it's a terrible design: it's trying to solve the problem of not using DNSSEC by essentially re-implementing DNSSEC with the notable problem of being trust-on-first-use (TOFU). So it's completely useless from a security perspective. You can still be owned: you just have to be owned early.