From what I can gather, there is a thing called "header field recombination", in which a proxy or something collapses two or more headers of the same type into one, and joins their values with a ",". Therefore, I should not list multiple pins separated with a "," in the PKP header. OK.
(This is new to me. Are there MITMs that really do this? Why?) (FWIW, the only relevant hit in the first page of Google results for [ header field recombination ] is http://svn.tools.ietf.org/wg/httpbis/trac/ticket/231.) > Public-Key-Pins: max-age=31536000; > pins-sha1=4n972HfV354KP560yw4uqe/baXc=; > pins-sha256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= OK. I suppose now we might as well get rid of the "pins-" too. > Finally, allow quoted-string notation, > > Public-Key-Pins: max-age=31536000; > pins-sha1="4n972HfV354KP560yw4uqe/baXc="; > pins-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=" > > so that characters not allowed (such as "/") in HTTP tokens work. But if "/" is not allowed in HTTP tokens, we have to require quoted-string notation, and not merely allow it. Right? Could anyone propose exact ABNF grammar that is acceptable given the above constraints? Currently, I have it as: Public-Key-Pins = "Public-Key-Pins" ":" LWS directives directives = max-age LWS ";" LWS pins / pins LWS ";" LWS max-age max-age = "max-age" LWS "=" LWS delta-seconds pins = "pins" LWS "=" LWS fingerprints fingerprints = fingerprint / fingerprint "," fingerprints fingerprint = fp-type "-" base64-digits fp-type = "sha1" / "sha256" Thanks! _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
