I hear more and more talk about HPKP being used primarily in Report-Only mode. I think that's fair, as website operators are very *very* nervous about bricking themselves. But it also takes away the ability of users to be proactive about these (possible) violations.
How do people feel about the following addition to the "Reporting Pin Validation Failure" section (probably under a new sub-section): If a UA provides extensibility points to be used by third party extensions or plugins, it [MAY?/SHOULD?] provide extensibility points relating to failures in both enforcement and Report Only mode. I envision a browser extension (which is naturally an opt-in mechanism) that flags Report Only violations so users are aware of them, and can investigate. I envision another one, perhaps run by the EFF, Google, or other trustworthy organization that actually sends these reports anonymized to a central database (besides the report-uri) where volunteers or employees could review them for suspicious entries. -tom _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
