Hi websec, How should HPKP's Public-Key-Pins-Report-Only header work?
Does it only apply a check to the current TLS connection, or is the UA is expected to remember the pins and apply them to future connections? If the UA is expected to remember them, how do "Report-Only" pins interact with regular pins? Do they override each other or are Report-Only pins tracked separately, so that a browser might have a Report-Only pin and a "regular" pin for the same site? Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
