Hi Tom,
[Cc to privacy-nuts :-)]
At 06:29 09-07-2013, Tom Ritter wrote:
On 9 July 2013 00:23, Joseph Bonneau <[email protected]> wrote:
> There is no advice to implementers, however. Is there a reason not to make
> explicit that user agents SHOULD remove pins for privacy reasons, something
> along the lines of the text I suggested previously:
It states that UAs must let people clear data:
>UAs MUST have a way for users to clear current pins for Pinned Hosts.
>UAs SHOULD have a way for users to query the current state of Pinned
>Hosts.
I read Section 5 and missed the above (it's in Section 7). Section 5
basically says that HPKP can be a super-cookie. It then explains two
attack scenarios. I think that the privacy considerations should be
made explicit.
Regards,
-sm
_______________________________________________
ietf-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-privacy
