On 11/19/2013 3:36 PM, Yoav Nir wrote: >> As far as the laptop moving between home and work... I get the >> impression this situation may be regarded as a 'failure' of the >> protocol. That is, we have unintentionally broke something. I disagree. >> I think the situation has worked as desired. > > It's the other way around. The desktop that remains at the office and keeps > ignoring the strict pins is the failure.
Ah, I agree with that, also. I was anticipating an argument that the laptop had been 'broken' by the migrating. > So the benevolent TLS proxy should note the "strict" directive and block the > connection by itself? It makes sense, but that would require an upgrade of > the TLS proxies. Changing client behavior would work with the proxies that > are deployed now. Not necessarily. Really I meant that I, as the maintainer of the SSL MITM device at FooCorp could decide "Employees aren't allowed to use personal WebMail at work" and then enforce that with blocking. Auto-Blocking based off 'strict' would absolutely require upgrades, but that wasn't my meaning. >> I expect that Firefox and Google may even continue to preload entries in >> their browsers that apply the 'strict' directive specifically to provide >> websites the power to assert their right to a MitM-free connection. I >> know several websites who would like to exercise that right. >> > > What? And have their sites not work in all the places that have newer > firewalls? I doubt it. /shrug I can hope. :) -tom _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
