On Sunday, November 18, 2012 9:12:53 PM UTC+1, Geremy Condra wrote:
> Hey Jeffrey,
> Yep, we pin to the public key that issued the certificate.
> Geremy Condra
> > wrote:
>> Hi All/Nick.
>> According to About Jelly Bean
>> libcore SSL supports pinning:
>> "Certificate Pinning — The libcore SSL implementation now supports
>> certificate pinning. Pinned domains will receive a certificate
>> validation failure if the certificate does not chain to a set of
>> expected certificates. This protects against possible compromise of
>> Certificate Authorities."
>> I know it tells me certificate pinning, but is that public key
>> pinning? I've been running tests on encrypted.google.com and gmail.com
>> for the last 18 months or so. Google rotates its certificates
>> regularly, but the underlying public key is static.
>> You received this message because you are subscribed to the Google Groups
>> "Android Security Discussions" group.
>> To unsubscribe from this group, send email to
>> For more options, visit this group at