On Fri, Apr 4, 2014 at 1:58 PM, Chris Palmer <[email protected]> wrote: > On Fri, Feb 21, 2014 at 12:24 AM, Trevor Perrin <[email protected]> wrote: > >> How should HPKP's Public-Key-Pins-Report-Only header work? >> >> Does it only apply a check to the current TLS connection, or is the UA >> is expected to remember the pins and apply them to future connections? >> >> If the UA is expected to remember them, how do "Report-Only" pins >> interact with regular pins? Do they override each other or are >> Report-Only pins tracked separately, so that a browser might have a >> Report-Only pin and a "regular" pin for the same site? > > Good question, thanks. I've tried to answer it in the latest rev of > the draft (https://code.google.com/p/key-pinning-draft/): > > ===== > > <t>When used in the Public-Key-Pins-Report-Only header, the UA SHOULD POST > reports for Pin Validation failures to the indicated report-uri, although > the UA MUST NOT enforce Pin Validation. That is, in the event of Pin > Validation failure when the host has set the Public-Key-Pins-Report-Only > header, the UA performs Pin Validation only to check whether or not it > should POST a report, but not for causing connection failure.</t> > > <t>If a Host sets the Public-Key-Pins-Report-Only header, the UA SHOULD note > the Pins and directives given in the Public-Key-Pins-Report-Only header. If > the UA does note the Pins and directives in the Public-Key-Pins-Report-Only > header it SHOULD evaluate the specified policy and SHOULD report any > would-be Pin Validation failures that would occur if the report-only policy > were enforced.</t> > > <t>If a Host sets both the Public-Key-Pins header and the > Public-Key-Pins-Report-Only header, the UA MUST note and enforce Pin > Validation as specified by the Public-Key-Pins header, and SHOULD note the > Pins and directives given in the Public-Key-Pins-Report-Only header. If the > UA does note the Pins and directives in the Public-Key-Pins-Report-Only > header it SHOULD evaluate the specified policy and SHOULD report any > would-be Pin Validation failures that would occur if the report-only policy > were enforced.</t> > > <t>When used in the Public-Key-Pins header, the presence of a report-uri > directive indicates to the UA that in the event of Pin Validation failure it > SHOULD POST a report to the report-uri, in addition to terminating the > connection (as described in <xref > target="validating-pinned-connections"/>).</t> > > ===== > > Does that clarify?
I think your intent is that there's 2 different types of pins (regular and report-only), which don't interact. I.e. setting max-age=0 on a regular PKP header doesn't clear PKP-RO pins, and vice versa. And when contacting a pinned site, the UA might have to apply both pins to it. Seems reasonable, if other people agree. Regarding the specific text, my guess is this will need more changes to make clear, since the document was mostly written from the perspective of there only being 0 or 1 "pins" for a connection. But I'd have to re-read it to make sure. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
