On Wed, April 17, 2013 6:42 am, Tom Ritter wrote: > I hear more and more talk about HPKP being used primarily in > Report-Only mode. I think that's fair, as website operators are very > *very* nervous about bricking themselves. But it also takes away the > ability of users to be proactive about these (possible) violations. > > How do people feel about the following addition to the "Reporting Pin > Validation Failure" section (probably under a new sub-section): > > If a UA provides extensibility points to be used > by third party extensions or plugins, it [MAY?/SHOULD?] > provide extensibility points relating to failures in > both enforcement and Report Only mode. > > I envision a browser extension (which is naturally an opt-in > mechanism) that flags Report Only violations so users are aware of > them, and can investigate. I envision another one, perhaps run by the > EFF, Google, or other trustworthy organization that actually sends > these reports anonymized to a central database (besides the > report-uri) where volunteers or employees could review them for > suspicious entries. > > -tom > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec >
While an interesting idea, and certainly one we've discussed on the Chromium side when considering implementation extension points, I think it's wholly inappropriate to include in the spec itself. I feel it opens a slippery slope of introducing behaviours that aren't strictly related to the treatment of the header. What's next? Extension points for how HPKP is managed within the UA (which also makes sense, but shouldn't be included in the spec) Cheers, Ryan _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
