There is now a section on privacy considerations in the new draft ( http://tools.ietf.org/html/draft-ietf-websec-key-pinning-07#section-5). The text does a nice job explaining the N-pinned-subdomains-as-supercookie attack, and also using report-uri as a tracking mechanism.
There is no advice to implementers, however. Is there a reason not to make explicit that user agents SHOULD remove pins for privacy reasons, something along the lines of the text I suggested previously: > Thinking of (a) and (b) is it worth adding a section to the spec on > privacy considerations? The high points would be that (a) Browsers SHOULD > remove dynamic pins for a domain whenever users request deletion of other > browser-history state for that domain, such as a "clear history" request or > the end of a private browsing session. (b) Browsers MAY decline to note > pins for privacy reasons for third-party domains while browsing, similar to > third-party cookie policies. > > Cheers, Joe
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
