" 5. If a PKP header field contains any directive(s) the UA does not
recognize, the UA MUST ignore the those directives."
Typo.
--------
"If a Host sets both the Public-Key-Pins header and the Public-Key-
Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and
MUST note only the pins and directives given in the Public-Key-Pins-
Report-Only header."
I thought we were following the CSP model, where you can enforce one
policy, but test a second.
--------
Figure 3 shows some example response header fields using the pins
extension (folded for clarity).
"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="
"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="
Public-Key-Pins: max-age=3000;
pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=";
pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
I think some base64 got added accidentally at the top.
--------
"UAs MUST NOT heed http-equiv="Public-Key-Pins" attribute settings on
<meta> elements [W3C.REC-html401-19991224] in received content."
It might be pedantic, but perhaps 'or http-equiv="Public-Key-Pins-Report-Only"'?
--------
UAs MUST recognize and "sha256".
Typo
--------
'Pins' vs 'pins'
Pedantry, but the noun pins is inconsistently capitalized through the document.
--------
Reporting Pin Validation Failure
The JSON report omits directives (such as max-age and
includeSubDomains) that are likely to be relevant.
It also omits superfluous certificates included in the chain that can
be relevant. (In certificate validation testing, it's common to bypass
it by including a superfluous chain that triggers a logic error. This
would help diagnose these types of attacks.)
--------
"The known-pins are the Pins that the UA has noted for the Known
Pinned Host. They are provided as an array of strings with the
syntax:
known-pin = token "=" quoted-string
Figure 6: Known Pin Syntax
"
I think this needs clarification (or fixing). 'Array of strings' +
token=quoted-string. ["pin-sha256="base64==""] obviously doesn't
work. An example JSON post would be cool.
--------
Public-Key-Pins: pin-sha256="ABC..."; pin-sha256="DEF..."; includeSubDomains
Figure 7: example.com Valid Pinning Header
To make it 'valid' should it include max-age=123...?
--------
"Here are two attack scenarios."
You actually list four. (Two of which have empty top-level bullets.)
--------
IANA Considerations
This omits Public-Key-Pins-Report-Only
-tom
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
