On Sun, Dec 1, 2013 at 9:49 AM, Yoav Nir <[email protected]> wrote: > On 29/11/13 10:24 PM, Trevor Perrin wrote: >> >> On Tue, Nov 26, 2013 at 12:14 AM, Yoav Nir <[email protected]> wrote: >>> >>> To summarize, although there has been much discussion since version -06, >>> most of it did not result in massive changes to the document, so IMO we >>> don't need another WGLC. >> >> >> * Weren't we going to discuss the relationship of preloaded to >> dynamic pins? See email [1]. >> >> * The rationale in thread [2] for "strict" seems different from the >> rationale in previous list discussions [3]. Ryan now argues that >> "strict" is not needed. I think that's worth considering. >> >> * I had feedback on an earlier draft which is still relevant [4], see >> below. >> >> [1] http://www.ietf.org/mail-archive/web/websec/current/msg01938.html >> [2] http://www.ietf.org/mail-archive/web/websec/current/msg01942.html >> [3] http://www.ietf.org/mail-archive/web/websec/current/msg01484.html >> > [hat off] > Well, [2] is just an idea I had two weeks ago, which Tom Ritter shot down > and easily convinced me. The "strict" directive has come up in discussion at > httpbis as well. There's all kinds of talk about adding a "trusted proxy" (a > proxy that can see the plaintext). These are used today by performing a MitM > attack on the client (with the grudging cooperation of the user or the > administrator of her computer. The server does not have any way to ask the > browser to not cooperate with the MitM. A "strict" PKP is one great way to > convey that policy
The browser has already decided to cooperate with the MITM. I side with Chris and Ryan: it's pointless for the site to try to win a policy arms race here. The question remains whether "strict" is necessary for the "pinning to local trust anchor" case. Ryan argues that it's not, and describes a way for the browser to handle this without "strict": http://www.ietf.org/mail-archive/web/websec/current/msg01947.htm That proposal makes sense to me, and avoids the complexity of an additional directive. So I support removing "strict", and adding text for this "pinning to local trust anchor" case. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
