| ▲ | treyd 5 hours ago | |
With PKI you're trusting a certificate chain up to a CA you already trust, by way of your OS or browser vendor. A domain can layer on HSTS to that, which directs clients to additionally refuse to trust a new cert for a domain until the one you currently trust has expired. | ||
| ▲ | scheub 3 hours ago | parent [-] | |
That’s not what HSTS does. It asks the client to remember that you want to only use TLS for that domain and refuse to use unencrypted HTTP in the future. | ||