[nsgi]

With the current system, they can just seize the domain and get a certificate for it.

[tptacek]

No. Seizing the domain does not help them if millions of browsers have the correct certificate pinned.

Meanwhile: we're all pretty unhappy that the USG does just seize domains. How can it possibly be reasonable for us to support a forklift upgrade of a core protocol that burns that capability permanently and cryptographically into the core of the Internet?

[micro-ram]

Unless you have a short life 90 day cert from LetsEncrypt.org then your pinning doesn't last very long.

[tptacek]

I'm not sure what your argument is. Can you restate it?