It would be helpful if the document described the expected recovery process after loss/compromise of the main key. I expect this is as simple as: use backup, send header with hash for new key(s). That is, the process by which a new key can be deployed in general. The document doesn't really talk about how clients are expected to react to a changed header.
Can the header be shortened to something that takes fewer bytes like 'Key-Pins'? --Martin _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
