Yoav Nir wrote: > Pinning every HTTPS certificate on the planet is not scalable. What > you *can* do is have each site pin their site. That's the point of > HPKP ([1]). > > For this to work, you need to at some point be without the MITM. I > guess that wouldn't help you much where MITM are pervasive, like Iran > or Syria, but it would work where attacks are the exception. What? Do you mean pervasive attack by NSA for Iran or Syria? Anyway, pervasive attack longer than lifetime of pinning can demolish HPKP. Moreover, it is still no better than DH, because initially shared DH key can be kept forever or as long as the lifetime of pinning. There is no royal road in secure communication. Masataka Ohta