HiIt seems like I'm the only one left who likes the "strict" directive, and I don't even like it much, except as a stop-gap measure until we can get proper proxy visibility (discussed in httpbis)
So let's make this a consensus call. If anyone (other than me) feels that "strict" is useful, please speak up now. Let's make it three options:
A. Keep "strict", Explanation required B. Drop "strict" - not interested in local policyC. Drop "strict", and adopt the rule that local policy can override a regular CA pin, but not a local CA pin.
I think if we drop "strict", the choice between B and C will ultimately fall to the UA, because while Chrome might ship with a list of "standard" root CAs, wget does not. But we should still make a recommendation.
Please send your preferences by Wednesday, December 11th. Thanks Yoav [with chair hat on]
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
