[mike_hearn]

To give a real example, CryptoCat managed to commit pinning suicide recently. They requested a pin in Chrome and then their CA's intermediate expired, meaning they had to reissue the cert .... but failed, because Chrome rejected the new cert. They had to wait for the next Chrome version to recover and basically had a multi-week outage because of it.

Pinning eliminates CA's by eliminating the agility they provide. Not inherently an awesome deal.

[skuhn]

You really need at least one alternate (from a different company!), even though that reduces security. 2 is still better than 150. I'm surprised that Google would accept a one hash pin, but I guess they'll let you shoot your own foot off if you want to.

The other side of that is you must actually be able to issue certs from that other CA. If you have to wait for your account to get set up and verified, you've lost.

[yuhong]

The problem is they switched to non-EV and they pinned only the EV root.