On Fri, Dec 7, 2012 at 2:17 PM, Yoav Nir <[email protected]> wrote:
> Sort of. I see that includeSubdomains is included, but I couldn't find the > discussion about resolving conflicts between a superdomain (such as > google.com) that has the includeSubdomain directive, and a subdomain (such as > www.google.com) that has a different key in its PKP directive. This question > is asked in the ticket. In addition to Ryan's comments, I'll add that I think we should talk more in the draft about how we follow the hostname matching rules of HSTS. The only reference to it in our I-D is in section 2.3.2: """ Otherwise, if the substring does not congruently match a Known Pinned Host's domain name, per the matching procedure specified in Section 8.2 of [RFC6797], then the UA MUST note this host as a Known Pinned Host, caching the Pinned Host's domain name and noting along with it the expiry time of this information, as effectively stipulated per...""" So I think we'll add a discussion of how this affects Pin Validation (section 2.6) as well. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
