On Wed, Feb 26, 2014 at 8:30 AM, Yoav Nir <[email protected]> wrote:
> Hi > > I think all the issues raised during this WGLC have been (I think) > addressed (and correct me on another thread if I've missed something), with > the exception of some issues with the Report-Only header. > I don't know whether the recently-discussed issues are addressed, as we haven't seen a new draft. Many of the issues I raised in July and November are still outstanding: http://www.ietf.org/mail-archive/web/websec/current/msg02011.html http://www.ietf.org/mail-archive/web/websec/current/msg01956.html http://www.ietf.org/mail-archive/web/websec/current/msg01692.html I'll bring them up again once there's a new draft. > First issue was the interaction between PKP and PKPRO if both are present. > Current text ([1]) says "If a Host sets both the Public-Key-Pins header and > the Public-Key-Pins-Report-Only header, the UA MUST NOT enforce Pin > Validation". This was objected to by some ([2[), as it doesn't follow the > CSP model. Chris suggested alternative text that allows them both ([3]), > where PKP is enforced, and PKPRO is only noted and reported. There were no > objections to this, except that Tom corrected a typo. Can we consider this > resolved? > No, because this is linked to the question about how PKP-RO works, which we don't have an answer to: http://www.ietf.org/mail-archive/web/websec/current/msg02030.html > Then Trevor brought up another issue ([4]). He asked whether the UA > actually notes PKPRO pins or just reports on them. Nobody has responded > yet, but I think that's a good point. Is there any value to noting PKPRO > for, say, a month, and then reporting after two weeks that the current > certificates do not match? When I imagine how someone would use PKPRO, I > guess they generate a pins string, issue them as PKPRO, and if no reports > arrive for, say, 7 days, they are moved into "production", which is the > regular PKP. Suppose the pins in PKPRO do generate reports, I guess the > administrator checks the reports, fixes whatever is wrong, and posts the > good pins as PKPRO again. Does it make sense to keep receiving reports for > the old pins? OTOH if we accept the non-noting idea, then the max-age > directive makes no sense and should be omitted. As there has been no > discussion yet, we need to consider this a bit. > The issue is not just old pins, it's whether the browser is expected to the apply the PKP-RO check to other connections besides the current one, and if so, how these two different types of pins co-exist, whether they overwrite each other, etc. Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
