On Dec 7, 2012, at 11:31 PM, Chris Palmer <[email protected]> wrote:
> On Thu, Nov 8, 2012 at 2:01 PM, websec issue tracker > <[email protected]> wrote: > >> #56: Specify includeSubdomains directive for HPKP >> >> Ticket URL: <http://tools.ietf.org/wg/websec/trac/ticket/56#comment:1> > > Do people agree that draft -04 resolves this issue? Sort of. I see that includeSubdomains is included, but I couldn't find the discussion about resolving conflicts between a superdomain (such as google.com) that has the includeSubdomain directive, and a subdomain (such as www.google.com) that has a different key in its PKP directive. This question is asked in the ticket. I'm also not sure how that could ever work. Suppose I go to google.com, and get the pin with the includeSubdomain directive. Next, I go to www.google.com, and the pin doesn't match the TLS handshake. Wouldn't the UA immediately terminate the connection, with no opportunity to ever receive any HTTP header? How will the more specific pin ever get set? Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
