On 2011-11-09 22:28, Chris Palmer wrote:
From what I can gather, there is a thing called "header field
recombination", in which a proxy or something collapses two or more
headers of the same type into one, and joins their values with a ",".
Therefore, I should not list multiple pins separated with a "," in the
PKP header. OK.
(This is new to me. Are there MITMs that really do this? Why?)
I know of *libraries* that do this, and I wouldn't rule out
intermediates using those.
(FWIW, the only relevant hit in the first page of Google results for [
header field recombination ] is
http://svn.tools.ietf.org/wg/httpbis/trac/ticket/231.)
Public-Key-Pins: max-age=31536000;
pins-sha1=4n972HfV354KP560yw4uqe/baXc=;
pins-sha256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
OK. I suppose now we might as well get rid of the "pins-" too.
Unless you need an extension point for other parameters.
Finally, allow quoted-string notation,
Public-Key-Pins: max-age=31536000;
pins-sha1="4n972HfV354KP560yw4uqe/baXc=";
pins-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
so that characters not allowed (such as "/") in HTTP tokens work.
But if "/" is not allowed in HTTP tokens, we have to require
quoted-string notation, and not merely allow it. Right?
Indeed. But they are used in base64, unless you switch to
<https://tools.ietf.org/html/rfc4648#section-5>.
Could anyone propose exact ABNF grammar that is acceptable given the
above constraints? Currently, I have it as:
...
I made a proposal; is there something specific you didn't like?
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
