On Feb 26, 2014, at 11:44 PM, Ryan Sleevi <[email protected]> wrote:
>> >> The issue is not just old pins, it's whether the browser is expected to >> the >> apply the PKP-RO check to other connections besides the current one, and >> if >> so, how these two different types of pins co-exist, whether they overwrite >> each other, etc. > > In attempt to resolve your outstanding issue(s) with PKP-RO, I want to > first ensure that this proposal makes sense. If we're in agreement, we can > work on adding it to the next draft. > > PKP > - Persistently recorded > - Expires based on max-age > - Causes all subsequent connections since 'noting' fails > - Note that this is somewhat ambiguous within a UA that has multiple > simultaneous connections, and for which header parsing may happen at > any arbitrary time. > - _HOWEVER_, I think this is best left up to implementations, since > the external effects are consistent with how the server/service sets > up resource fetching. > > PKP-RO > - Not persistent > - Applies only to the _single_ transport connection > - Because HTTP connections MAY be kept-alive or re-used, to further qualify > - Is evaluated upon receipt of the header, for the response it's > included in. > > This means that if an HTTPS server sends PKP-RO header, then performs a > TLS renegotiation that changes certificates in a way that violates the > -RO, _NO_ report is sent. If the connection is used for another HTTP > request, and -RO is sent, then the policy IS re-evaluated and a report is > sent. > > Clarify that PKP-RO does _not_ affect the overall security state of the > resource fetch. Specifically, it does NOT cause the connection to be > closed with error. UAs MAY choose to also notify the user on -RO failures, > or MAY NOT - it's up to the implementation. Example of "notification" may > include something as simple as logging to the developer console. I (with no hats) am very much in favor of this change. It makes sense for the way I think this will be used. If I were administrating a web server and wanted to use PKP, I would generate the PKP string and install it as PKP-RO for a few days. If no reports came in, it would be ready for production. I am not concerned about the renegotiation issue. [with chair hat] if others feel differently, please speak up now. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
