After today's meeting we agreed on: 1. make the pinning pref not hidden 2. Chnge the default from 1(enable mitm) to 0 (pinning disabled) 3. Put the addons site pins back on (and include use mozilla_cdn as the pinning info).

Comment on attachment 8417600 [details] [diff] [review] set-addons-pinn-and-pref-to-disabled Review of attachment 8417600 [details] [diff] [review]: ----------------------------------------------------------------- Great - r=me with comments addressed. ::: security/manager/tools/PreloadedHPKPins.json @@ +25,5 @@ > // equifax -> aus3 > // Geotrust Primary -> www.mozilla.org > // Geotrust Global -> *. addons.mozilla.org > > +// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte Put this documentation next to the declaration of the pinset itself. @@ +30,5 @@ > // geotrust ca info: http://www.geotrust.com/resources/root-certificates/index.html > { > "pinsets": [ > { > "name": "mozilla", If we're not using this pinset, let's remove it. In fact, let's remove this pinset and call the other one "mozilla". @@ +93,5 @@ > } > ], > > "entries": [ > + // from bug 1005653 we learned that addon subdomains include cdn sites I'm not sure this comment is helpful in the long run.

Keeping r+ from keeler