Hi Let me try to summarize where we are with this discussion.
There has been some suggestions that all policy headers such as CSP. However, a well-known URI is unique per domain, while CSP can be different for each resource. So only policy elements that are domain-specific rather than resource-specific can be in the proposed well-known URI. That list is rather short: HPKP and HSTS. For now, we can ignore HSTS. If we take the well-known-uri path and someone later wants to move HSTS to the same or a different WK URI, that will be a separate effort. With that in mind, the advantages of well-known URIs are obvious: * Less bandwidth than repeating the HTTP header on each response. * No need to send this data to clients that don't support HPKP So the opinions against this that we've heard so far, I will try to summarize. I apologize in advance if I over-simplify or misrepresent your position: * This should not be done as a one-off for HPKP. If it should be done at all, it should be done as part of a unified framework for policies (Jeff Hodges) * "Agree with Jeff" (Chris Palmer, me, a few others) * Current HPKP header is inefficient and inelegant, because there is no limit on number of hashes, and client needs to validate and update pins on every resource. (Trevor Perrin) * HSTS deployment does not have the header on every path and every subdomain. If HPKP is deployed like that, we will have random results. Should use WK URI (Joseph Bonneau) * [changing to WK URI] is a good idea, and if we don't do it now, we'll never do it (Mark Nottingham, Larry Manister) * [changing to WK URI] is a good idea, because HTTP headers are supposed to be about the resource, not the site. (Daniel Kahn Gillmor) * Maybe we should finish HPKP as it is, and later start a generic draft on moving everything to a well-known URI? (Tobias) * We considered this for CSP, and decided against well-known URIs. It's an extra HTTP request. May have performance implications, and it's no big deal to have this in every response, since the size is "smallish". In some network conditions, we might never get to fetch the WK URI, because the "next conneciton" might come first (Gervase Markham, Mozilla) As chair, I see that there is a majority for making the change, but I did not see the concerns raised by Gervase addressed. It is also troubling that the people who work on a browser (Chris and Gervase) are both against the change, so I think it's too early to declare consensus, until this issue has been more thoroughly discussed. Yoav
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
