On Fri, Nov 29, 2013 at 2:15 PM, Tom Ritter <[email protected]> wrote:
> On 29 November 2013 15:24, Trevor Perrin <[email protected]> wrote:
>>
>> * Why is there a "Public-Key-Pins-Report-Only" header instead of a
>> "report-only" directive? Most of the document is written as if there
>> was a single "PKP header field", so a directive would make more sense.
>
>
> If it becomes a directive, we should be sure that we can still apply two
> headers, one more loose in enforcing mode, one stricter in report only mode.
Would you expect both headers to be noted?
The current spec doesn't support that. It specifies 2 different (and
incompatible) ways of handling this case:
- 2.1.3: "If a Host sets both the Public-Key-Pins header and the Public-Key-
Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and
MUST note only the pins and directives given in the Public-Key-Pins-
Report-Only header."
- 2.3.1: "If a UA receives more than one PKP header field in an HTTP
response message over secure transport, then the UA MUST
process only the first such header field."
Trevor
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
