In Section 2.6. ("Validating Pinned Connections"), there is this wording:"To perform Pin Validation, the UA will compute the SPKI Fingerprints for each certificate in the Pinned Host's validated certificate chain, [...]" It is assumed that there is only one validated certificate chain. In practice, there could be multiple valid certificate chains, some with pins, others without. It's possible that a UA will first process the paths, select one deemed to be the "best", only after which the pins will be examined. If the selected path is without pins, the connection will fail, even though there might be another paths that could have been used. I think the specification should describe this situation, and instruct UAs to try alternative (acceptable) trust paths in case of pin failure. -- Ivan _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
