Hello, re-send, as I just received an error message from the websec-mailing-list mail-server on not delivering this email on Dec-3. Best regards, Tobias
-------- Original Message -------- Subject: Re: [websec] HPKP: The strict directive and TLS proxies Date: Tue, 03 Dec 2013 20:43:49 +0000 From: Tobias Gondrom <[email protected]> To: [email protected], [email protected] CC: [email protected] Hi Chris, <hat=WG chair> Yes, please roll the updates into a new version and post it as soon as possible. Please remember version-numbers are cheap, so rather update often. Plus, I would really like to give the doc in its final state another good read before we go to IESG. </hat> regarding: SHA-1/SHA-256: please consider that we should have hash agility whenever possible. There will be SHA-3 and future ones.... Best regards, Tobias On 03/12/13 00:24, Chris Palmer wrote: > Hi all, > > Thanks for the discussion. We are going to roll another version of the > draft to clarify the confusing things. Also, my semi-off-the-cuff > thoughts on some of the issues: > > Strict: I support what Yoav calls option (B): Drop "strict" - not > interested in local policy. (It has only been a source of confusion. > Let's keep things simple.) > > SHA-1: Let's just get rid of it. SHA-256 only; MUST implement; no > truncation. (Maximum simplicity.) > > Non-overridable failure mode on pin validation failure: To make HPKP > less of a footgun, I support saying that UAs SHOULD disallow user > override, or SHOULD provide some way of telling the user that pin > validation failure happened. But no longer MUST. > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
