On Wed, Feb 26, 2014 at 1:44 PM, Ryan Sleevi <[email protected]>wrote:
> > In attempt to resolve your outstanding issue(s) with PKP-RO, I want to > first ensure that this proposal makes sense. If we're in agreement, we can > work on adding it to the next draft. > > PKP > - Persistently recorded > - Expires based on max-age > - Causes all subsequent connections since 'noting' fails > - Note that this is somewhat ambiguous within a UA that has multiple > simultaneous connections, and for which header parsing may happen at > any arbitrary time. > - _HOWEVER_, I think this is best left up to implementations, since > the external effects are consistent with how the server/service sets > up resource fetching. > > PKP-RO > - Not persistent > - Applies only to the _single_ transport connection > - Because HTTP connections MAY be kept-alive or re-used, to further > qualify > - Is evaluated upon receipt of the header, for the response it's > included in. > That's the simpler of the options. It means PKP-RO only tests whether the browser builds a chain you expect at one moment in time. It doesn't test whether the site is serving the correct certs for different URLs (e.g. includeSubdomains), so it's not a thorough test (i.e. the lack of reports doesn't provide much confidence that the PKP header is safe). It also doesn't have any security value. I don't hugely object to this, but given its limitations I'm not sure it's worth the effort. Curious what other people think. Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
