On Thu, Oct 18, 2012 at 4:56 PM, websec issue tracker
<[email protected]> wrote:
> #54: Specify a report-only mode
>
> Should there be a "report-only" mode, allowing site operators to see how
> using HPKP would affect their site's operation in browsers supporting
> HPKP? (Probably.)
>
> If so, specify how that mode would work.
What are people's thoughts on this? The motivation for a report-only
mode is twofold: (1) site operators want to see what would happen
before going live with pinning; and (2) site operators often don't
know all their keys, or all their intermediate signers' keys, or all
their trust anchors' keys, and a reporting mode could help them find
out.
(2) implies that the reporting interface would have to allow the UA to
tell the site not just "pin validation succeeded/failed", but also why
(probably by simply reporting the entire validated certificate chain
that the UA computed/observed).
The reporting interface must be one that is easy for site operators to
implement — writing code to collect the reports should not be a huge
burden for developers. Perhaps a simple JSON blob:
{
"pin-validation-succeeded": (true|false),
"expected-pins": [ "sha1/blahblah", "sha256/foobar", ... ],
"validated-chain": [ "PEM blob of EE", "PEM blob of intermediate",
..., "PEM blob of anchor" ]
}
The next issue is, should the site be able to specify a URL to which
the UA will POST the JSON blob, or should we specify a single,
well-known URL path? Using a well-known path seems simpler and less
error-prone generally.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
