My notes:
I believe the BNF (pseudo-BNF?) is incorrect:
Public-Key-Pins = "Public-Key-Pins" ":" LWS directives
directives = max-age LWS ";" LWS fingerprints
/ fingerprints LWS ";" LWS max-age
max-age = "max-age" LWS "=" LWS delta-seconds
pins = "pins" LWS "=" LWS fingerprints
fingerprints = fingerprint
/ fingerprint "," fingerprints
fingerprint = fp-type "-" base64-digits
fp-type = "sha1"
/ "sha256"
I believe 'directives' should replace "fingerprints" with "pins":
directives = max-age LWS ";" LWS pins
/ pins LWS ";" LWS max-age
================
I think this paragraph is misworded:
UAs MUST have a way for users to clear current pins that were set by
HSTS. UAs SHOULD have a way for users to query the current state of
Pinned Hosts.
Instead of HSTS, should that be "Public Key Pinning"? If not, pins
set during HSTS must be flagged and treated differently - why?
================
Miscellany:
- There is no directive or suggestion to User Agents about saving or
not saving pins received in a private browsing mode. Maybe there
shouldn't be, but if a User-Agent does save them, the same 304/ETag
trick malicious sites use to track users can be created using certs
and subdomains.
- The "Pinning Self-Signed End Entities" section was a bit confusing,
I had to read it a couple times to be sure you were talking about a
server's self-signed cert, and not a client cert.
- The Pin-Break mechanism gets more complicated which each revision.
I know it's being shopped around for both this and the approach to put
pinning in the TLS layer (TACK), but does its removal implies pin
break codes are not intended to go into the final version of this
document, or will it be added later after the first bit is worked out?
Thanks Chris(es)!
-tom
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
