On 2/19/2014 1:13 PM, Chris Palmer wrote:
On Thu, Feb 13, 2014 at 11:42 AM, Trevor Perrin <[email protected]>
wrote:
Your "fourth way" is well-put, and I agree - all of these seem
valid implementations which should be allowed.
I have been thinking that this 4th way is the way to go. Note for
example that RFC 6797 (HSTS — which I would still like for HPKP to
emulate) does not even cover the topic.
The pre-load list seems outside the mechanism covered by the spec. At
best the spec could mention it in a non-normative section as something
UAs can do to cover the first-visit gap, but there are several valid
ways such a list could be implemented.
-Dan Veditz
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
