On Fri, Dec 7, 2012 at 9:58 PM, Ryan Sleevi <[email protected]> wrote:
> So, let's say the workflow is: > You first visit "google.com" (or, through whatever U-A specific means > exist, you have a pre-loaded pin for "google.com"). > It has a PKP directive that asserts Pin(A) and Pin(B), along with > includeSubDomains. > The validated cert chain contains Pin(A), so the PKP is accepted, and > google.com (and all of its subdomains through all levels) are set to > Pin(A) and Pin(B) > > You now visit www.google.com > > IF www.google.com is not valid for Pin(A), fail the connection. That is > the only acceptable path. Quick clarification: Pin(B) would also be acceptable. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
