On Sat, Feb 8, 2014 at 11:24 PM, Yoav Nir <[email protected]> wrote: > [Replying to myself, but with no hats on] > > IMO the current text is fine. Regarding the first point, it creates a burden > for the browser maker, but only if they update their pre-loaded pin list by > observation.
Updating preloaded pin lists by "observation" (i.e. scanning sites for HPKP headers) is a reasonable thing for a browser maker to do. We shouldn't create an unnecessary burden for them in that case. I find section 2.7 unclear, but it seems to mandate that preloaded pin lists MUST include entries for expired pins or max-age=0 pins, as well as the last-observed time for each such entry and each pin, so that the browser can be sure it is using the "most recent" observation for each pin, even when that observation was negative or now expired. That seems to unnecessarily preclude simpler and more efficient implementations, which is my objection. > I think in a future where HPKP is supported in most browsers, pre-loaded > lists will contain very few entries - perhaps the big content sites and a few > banks, maybe Paypal. I expect that most site operators would be happier to > pin sites by themselves with an HPKP header rather than interact with all > browser vendors. Since browser vendors could scan for HPKP headers to populate their preloaded lists I think wider use of HPKP is likely to lead to *MORE* preloaded pinning, not less. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
