[websec] Public-Key-Pins-Report-Only - attempt at summary

Wed, 26 Feb 2014 08:32:51 -0800 

Hi

I think all the issues raised during this WGLC have been (I think) addressed 
(and correct me on another thread if I’ve missed something), with the exception 
of some issues with the Report-Only header.

First issue was the interaction between PKP and PKPRO if both are present. 
Current text ([1]) says “If a Host sets both the Public-Key-Pins header and the 
Public-Key-Pins-Report-Only header, the UA MUST NOT enforce Pin Validation”.  
This was objected to by some ([2[), as it doesn’t follow the CSP model. Chris 
suggested alternative text that allows them both ([3]), where PKP is enforced, 
and PKPRO is only noted and reported. There were no objections to this, except 
that Tom corrected a typo. Can we consider this resolved?

Then Trevor brought up another issue ([4]). He asked whether the UA actually 
notes PKPRO pins or just reports on them. Nobody has responded yet, but I think 
that’s a good point. Is there any value to noting PKPRO for, say, a month, and 
then reporting after two weeks that the current certificates do not match?  
When I imagine how someone would use PKPRO, I guess they generate a pins 
string, issue them as PKPRO, and if no reports arrive for, say, 7 days, they 
are moved into “production”, which is the regular PKP. Suppose the pins in 
PKPRO do generate reports, I guess the administrator checks the reports, fixes 
whatever is wrong, and posts the good pins as PKPRO again. Does it make sense 
to keep receiving reports for the old pins?  OTOH if we accept the non-noting 
idea, then the max-age directive makes no sense and should be omitted.  As 
there has been no discussion yet, we need to consider this a bit. 

Please do.

Yoav & Tobias


[1] http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11#section-2.1.3
[2] http://www.ietf.org/mail-archive/web/websec/current/msg02001.html
[3] http://www.ietf.org/mail-archive/web/websec/current/msg02026.html
[4] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to