Hi, I'm not sure I understand section 2.7 on "Interactions With Preloaded Pin Lists".
At first glance it seems clear: Both preloaded and dynamic pins MUST store the "Effective Pin Date" when the pin was most recently observed, and browsers MUST use only the most recent information. E.g.: T10 - Crawler notes a pin for "example.com" T15 - Browser notes a different pin for "example.com" T20 - Crawler sends preloaded pin to Browser In this case, the browser MUST ignore the preloaded pin, and only apply the pin it noted at T15. But what if the browser-noted pin has a max-age of 0 or 1? Or what if the T15 connection occurs over a secure transport but has no PKP header? The spec says: "If the result of noting a Valid Pinning Header is to disable pinning for the host, such as through supplying a max-age directive with a value of 0, UAs MUST allow this new information to override any other pinning data. That is, a host must be able to un-pin itself, even in the presence of built-in pins." That seems to imply the browser needs to remember "un-pinning" responses it receives (i.e. max-age=0 or no PKP header), and expired pins, on the chance that any of these might "un-pin" a preloaded pin it receives later? That seems fairly complicated, and rather inflexible (I could imagine a browser might trust its preload data more than dynamic data, and prefer that take precedence). So what if browsers were simply allowed to apply *either* the preload or dynamic pin, or both? The browser could choose to apply a complex, time-based algorithm like above, or do something simpler like apply both pins, or let preloads take precedence. This also allows for implementations which don't need to store either the "Effective Pin Date" (only the expiration time), or "un-pinning" entries. Thoughts? Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
