Slashdot Mirror
Google To Remove Public Key Pinning (PKP) Support In Chrome (bleepingcomputer.com)
An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.
"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.
"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.
It's not meaningful to distinguish between registrar and CA. These days, for many people, they're the same company, about $12/yr for each function.
The difference of DANE is trusting only one Registrar/CA instead of trusting all the CAs not to issue fake certs. Certificate transparency accomplishes the same thing.
It's not a real solution because registrars aren't trustworthy, either. The real solution is Sovereign Keys.
DANE has an appealing orderliness to it that satisfies people with OCD, but if you apply the attack model correctly it's a half-measure, and strictly inferior to Sovereign Keys.