Lucas Garron

Will look at the other code later; is neverssl.com failing now?

> I am worried about the requirements for the HSTS preload list constantly changing. The requirements were not properly codified until recently, and they themselves are not likely to change...

An idea that I have jotted down somewhere: log the certificate we see when connecting to a site in the scan (or at least log an SPKI hash).

Manually run scans are at https://github.com/lgarron/hstspreload-scans for now.

> Manually run scans are at https://github.com/lgarron/hstspreload-scans for now. Note that I've upgraded this to automatic scans running since December 23. However, the data is not appropriate for a git...

> and would mean you wouldn't need to add a new backend batch process. Yeah, that would certainly be nice. > But the downsides are that it would feed the...

Eric and I are starting a doc at https://docs.google.com/document/d/1fngkzHVBRRzYKWgiKDiUrOqWDUkDBbbTXAbo4BHEAoI/edit#heading=h.4y6h6fq2j9e2

@bifurcation, @mozmark, @marumari: @konklone and I have discussed options and considerations in [this doc](https://docs.google.com/document/d/1fngkzHVBRRzYKWgiKDiUrOqWDUkDBbbTXAbo4BHEAoI/edit#), but one important consideration is whether other browsers are willing to preload classes of domains regardless...

> @konklone @lgarron Is there already a process to include security critical domains into the preload list privately? As it maybe useful for some security critical domains. Do you mean...

> Yes, I do think we should support it in very exceptional circumstances and there are lots of use cases where its appropriate not to reveal the sites domain publicly...