On 7/2/14 11:39 AM, Yoav Nir wrote:
Thank you Chris, Chris and Ryan.This is to announce the beginning of a WGLC for this draft. Because a lot of the group members are busy preparing for London and getting those drafts out by the deadline, we will extend the time allocated for this WGLC to three weeks, ending on February 28th. Please take this almost-final opportunity to review the draft and if you spot a problem, send comments to the list. Thanks Tobias and Yoav
Some comments of my own. No hatsSection 1, first sentence begins with "We propose a new...". Our target is called "proposed standard", but I think it would be better to say "We define a new HTTP header..."
--------- Fourth paragraph in section 2.1.3 is kind of clunky: OLD"When used in the Public-Key-Pins header, the presence of a report-uri directive indicates to the UA that the UA MUST enforce Pin Validation, and the UA SHOULD also, in the event of Pin Validation failure, POST a report to the report-uri."
The presence of the report-uri directive has nothing to do with the UA having to enforce pin validation. That is required by any PKP header. How about rewriting this as:
NEW"When used in the Public-Key-Pins header, the presence of a report-uri directive indicates to the UA that it SHOULD also, in the event of Pin Validation failure, POST a report to the report-uri."
--- ------ Section 2.5.Section 2.4 says that future versions may add new algorithms. So we should be prepared for new algorithms. Section 2.5 says "For forward compatibility, the UA MUST ignore any unrecognized Public-Key-Pins header directives, while still processing those directives it does recognize." So suppose the UA got the following header:
Public-Key-Pins: max-age=2592000;
pin-sha4-256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
pin-sha4-256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
Not having support for SHA4, it can't validate or use these pins. That
is fine when the server keys are not yet pinned. Now suppose that the
server is pinned (because previously it expressed HPKP with a SHA2-256.
Does the UA (a) ignore it, keeping the old pin, or (b) treat this as
unpinning? Either way, where does it say so?
Thanks Yoav
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
