Hi websec, There was an item to discuss "interaction between pre-loaded and dynamic pins", and some earlier discussion:
http://www.ietf.org/mail-archive/web/websec/current/msg01651.html http://www.ietf.org/mail-archive/web/websec/current/msg01833.html I think the current text in draft-08 section 2.7 is unclear about what preloaded and dynamic information the browser needs to store. Most of the draft is written as if the browser is only storing active, unexpired pins. But 2.7 seems to imply the browser stores timestamped "negative observations" such as max-age=0 observations, no-header observations, and expired pins, which will override less-recently-observed pins from different data sources (preloaded overriding dynamic, or vice versa). I could imagine simpler policies. One example: * The preload and dynamic lists contain only active, unexpired pins * The browser applies pins from both lists (i.e. if both a dynamic and preloaded pin exist for example.com, they are both applied) * The browser manufacturer can push an "override" which erases bad dynamic pins for particular hostnames. This wouldn't provide automatic overriding of (preloaded/dynamic) pins based on newer observations in a different source. But it *would* allow for explicit overriding of bad dynamic pins, which seems the most important type of overriding. It also seems much simpler. I suggest we allow such different and simpler policies. If people disagree, I'd like to hear a clearer statement of: * How exactly the current policy will work (i.e. what negative information needs to be stored and how it's used). * Why it's necessary to support automatic overriding of pins from different sources based on the newest observation? Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
