<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 12/18/2013 11:32 PM, From Ryan Sleevi:
<blockquote
cite="mid:CACvaWvbHjw1=Q7X3mabXT+TNtyJqeNQByFe79YHmm4DAWxUstQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Dec 18, 2013 at 1:23 PM, Eddy
Nigg (StartCom Ltd.) <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
On 12/18/2013 10:14 PM, From Ryan Sleevi:
<blockquote type="cite">
<div class="im">
<p dir="ltr"> > How did you arrive at that sum?
Pinning shouldn't really cost anything once the
code is in the browsers. I also assume that code
changes for CT wouldn't be any cheaper than that.</p>
</div>
<p dir="ltr">Pinning is NOT just a nob you turn. It
carries huge operational risks to realize the
preventative guarantees</p>
</blockquote>
<br>
Are we talking about the same thing here?</div>
</blockquote>
<div><br>
</div>
<div>Absolutely.</div>
<div><br>
</div>
<div>If you haven't followed the IETF discussions about
pinning, I absolutely encourage you to do so. </div>
</div>
</div>
</div>
</blockquote>
<br>
Sadly I don't have much time for IETF discussions, but...<br>
<br>
<blockquote
cite="mid:CACvaWvbHjw1=Q7X3mabXT+TNtyJqeNQByFe79YHmm4DAWxUstQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>The pinning draft itself is careful to spell out that
there are non-trivial risks aplenty with pinning, BUT it
can provide *preventative* mitigation.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
WHAT? With pinning I understand to pin a particular certificate to a
particular host name in the browser. Is this what you are talking
about?<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>