On Thu, Feb 13, 2014 at 11:42 AM, Trevor Perrin <[email protected]> wrote:
>> Yet a fourth way is to observer that none of this affects interoperability >> in any way and leave it up to the UA vendor to choose their way. The web >> site operator should only include valid pins in their HPKP headers, and they >> should also enter only valid pins in pre-loaded lists. They should also deal >> with the fact that don't control usage patterns, so anytime they pin >> something for X seconds, their website MUST conform to that pin for at least >> those X seconds or bad things will happen. > > Your "fourth way" is well-put, and I agree - all of these seem valid > implementations which should be allowed. I have been thinking that this 4th way is the way to go. Note for example that RFC 6797 (HSTS — which I would still like for HPKP to emulate) does not even cover the topic. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
