On Feb 7, 2014 8:47 PM, "Chris Palmer" <[email protected]> wrote: > > Oops, I forgot one thing: > > On Fri, Feb 7, 2014 at 5:12 AM, Tom Ritter <[email protected]> wrote: > > > "If a Host sets both the Public-Key-Pins header and the Public-Key- > > Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and > > MUST note only the pins and directives given in the Public-Key-Pins- > > Report-Only header." > > > > I thought we were following the CSP model, where you can enforce one > > policy, but test a second. > > Honestly, I think that's likely to be too complicated. I want to > prioritize ease of deployment (which includes a simple-to-state policy > like the above, and failing open when not unreasonably unsafe), and > I'd like for the implementation not to get too much more complicated.
I suppose. I think the extra implementation complication is in conditionally applying code rather than having to write additional code, which strike me as different, but you would know better than me. And that deployment would actually be made more confusing, not less, by having two analogous headers, named in the same pattern, that behave differently - I think that's likely to cause as much confusion as anything else. I imagine someone like Twitter, with its multiple pinned CAs, would have a really good use case for being able to apply and test two different policies. But, I also am anxious to get this out in the field - if anyone thinks similarly, they can speak up. -tom
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
