> This issue turned out to be more contentious that I had expected. We've > had two people in support of the change, in addition to one response that > seems to indicate support for such a change, and Mark's remarks at the > meeting, which were also kind-of, sort-of in support of such a change. >
I'm in support of a change, I hope I'm counted as such. > And for those who would like to use a .well-known resource, can you > suggest a format for the key pinning resource? I think the simplest option is to use a CSP-style format, with multiple lines of "directive-name : value," such that Strict-Transport-Security and Public-Key-Pins headers could be pasted directly on such lines with no other changes to the spec. Future security policies could be defined/added as needed such as "Strict-Certificate-Transparency : max-age=N" An alternative would be a JSON or XML file which might be a little more extensible and easier to parse, but would require more re-writing of this and other specs. Joe
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
