#55: Clarify that the newest pinning information takes precedence
In section "Interactions With Preloaded Pin Lists", we need to specify
that the newest information, even "stop pinning", must take precedence. I
propose this text:
UAs MUST use the newest information — built-in or set via Valid Pinning
Header — when performing Pin Validation for the host. If the result of
noting a Valid Pinning Header is to disable pinning for the host (such as
because the host set a max-age directive with a value of 0), UAs MUST
allow this new nformation to override any built-in pins. That is, a host
must be able to un-pin itself even from built-in pins.
--
-------------------------+----------------------
Reporter: palmer@… | Owner: palmer@…
Type: defect | Status: new
Priority: major | Milestone:
Component: key-pinning | Version:
Severity: - | Keywords:
-------------------------+----------------------
Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/55>
websec <http://tools.ietf.org/websec/>
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
