Public Key Pinning Extension for HTTP


Public Key Pinning Extension for HTTP (RFC 7469 HPKP) defines a new HTTP Header Field that allows web host operators to instruct user-agents to remember ("pin") the hosts' cryptographic identities over a period of time.

During that time, user-agents will require that the host presents a Certificate Chain including at least one Subject Public Key Info structure whose Certificate Fingerprint matches one of the pinned Certificate Fingerprint for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of Man-In-The-Middle attacks due to compromised Certification Authorities.

Public Key Pinning Extension for HTTP is a form of Certificate Pinning

Intent To Deprecate And Remove: Public Key Pinning#

The problem with HPKP is that it can be quite a complex idea to get your head around and requires a perfect deployment otherwise things can go wrong.[2]
  • 2017-10-27 Google published Intent Public Key Pinning. [1]
  • 2017-10-24 I'm giving up on HPKP - Scott Helme [2]

More Information#

There might be more information for this subject on one of the following: