call.mozilla.com is the server for Loop/Hello.

call.mozilla.com doesn't appear to exist any more. Do we still want to pin the loop/hello server(s)? If so, what are they and what should we put in the pinset?

That would be hello.mozilla.com, apparently. Lots of things changed since I've last been there. Let's reach out to the leads of Hello, to get their input

I think this would be done at the ops level. JP or Phrawzty: thoughts?

The main question is: Do you still want this? We can implement key-pinning to be preloaded in Firefox.

As far as I know, Hello uses these two domains: - hello.firefox.com - loop.services.mozilla.com loop.s.m.c is already protected by the pining in place for s.m.c [1]. We only need to add hello.firefox.com to this list: { "name": "hello.firefox.com", "include_subdomains": true, "pins": "mozilla_services", "test_mode": false, "id": 6 } I believe that one is for you, keeler. One question for Ian: do you know which domain TokBox uses for their URLs? The preloaded CSP contains tokbox.com and opentox.com. I just want to make sure we don't accidentally pin them to a CA they don't use. [1] https://mxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#201

Passing Comment 5 on to Mark

Julien, are you wanting a patch for just hello.firefox.com right now, or do you want to wait until we have the information for tokbox.com / opentox.com?

I think we should wait for Mark's reply. I don't want to break hello.

After talking with ulfr, this appears to be overcome by events, so I'm marking it WONTFIX.