On 29/11/13 10:24 PM, Trevor Perrin wrote:
On Tue, Nov 26, 2013 at 12:14 AM, Yoav Nir <[email protected]> wrote:To summarize, although there has been much discussion since version -06, most of it did not result in massive changes to the document, so IMO we don't need another WGLC.* Weren't we going to discuss the relationship of preloaded to dynamic pins? See email [1]. * The rationale in thread [2] for "strict" seems different from the rationale in previous list discussions [3]. Ryan now argues that "strict" is not needed. I think that's worth considering. * I had feedback on an earlier draft which is still relevant [4], see below. [1] http://www.ietf.org/mail-archive/web/websec/current/msg01938.html [2] http://www.ietf.org/mail-archive/web/websec/current/msg01942.html [3] http://www.ietf.org/mail-archive/web/websec/current/msg01484.html
[hat off]Well, [2] is just an idea I had two weeks ago, which Tom Ritter shot down and easily convinced me. The "strict" directive has come up in discussion at httpbis as well. There's all kinds of talk about adding a "trusted proxy" (a proxy that can see the plaintext). These are used today by performing a MitM attack on the client (with the grudging cooperation of the user or the administrator of her computer. The server does not have any way to ask the browser to not cooperate with the MitM. A "strict" PKP is one great way to convey that policy, and I don't think we should give up on it. This is especially useful now that a lot of the content sites (Facebook, Google, Twitter) are becoming HTTPS-only, and pretty much every firewall around can now do the MitM thing.
Unless there's some good reasons to leave this off, I think we should leave this one in the spec just as it is. Unless we're afraid people might use it ([4]).
[/hat off] Yoav [4] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/1461.html
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
