前幾天的 Standards Track:「Public Key Pinning Extension for HTTP」。
HPKP (HTTP Public Key Pinning) 機制是讓 server 端在第一次連線時告訴 client (像是瀏覽器) Public Key 資訊,也就是建構在 TOFU (Trust-on-first-use):
Key pinning is a trust-on-first-use (TOFU) mechanism. The first time a UA connects to a host, it lacks the information necessary to perform Pin Validation; UAs can only apply their normal cryptographic identity validation. (In this document, it is assumed that UAs apply X.509 certificate chain validation in accord with [RFC5280].)
機制上很像 HSTS (HTTP Strict Transport Security,RFC6797)。依據 Mozilla 的「Public Key Pinning」資料,目前新版的 Google Chrome 與 Firefox 都有支援了。