On Sat, Dec 10, 2011 at 9:30 AM, Manger, James H <[email protected]> wrote: > 1. Say the pinning mechanism MUST NOT be used when a SubjectPublicKeyInfo > value does not completely specify the public key, such as when holding a DSA > key without its domain parameters. This would be acceptable if no one uses > the inherit-parameters-from-the-CA option. I have no idea whether or not that > is true.
I believe that you're correct that this is a problem and I suggest your solution (1): a public key pin cannot be formed if the SPKI is incomplete when taken in isolation. Cheers AGL _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
