On Tue, May 13, 2014 at 2:09 PM, Chris Palmer <[email protected]> wrote:
>
> PKP vs. PKP-RO:
> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9
The new text about PKP-RO in 2.5 (quoted below) seems to say that a
PKP-RO header is only evaluated against the current connection, not
stored as a pin. I thought we decided the opposite (which is what I
think 2.3.2 is saying):
2.3.2 (existing text):
If a Host sets both the Public-Key-Pins header and the Public-Key-
Pins-Report-Only header, the UA MUST note and enforce Pin Validation
as specified by the Public-Key-Pins header, and SHOULD note the Pins
and directives given in the Public-Key-Pins-Report-Only header.
2.5 (new text):
The UA SHOULD NOT note any pins or other policy expressed in the PKP-
RO response header field.
> Interactions with built-in pins:
> https://code.google.com/p/key-pinning-draft/source/detail?r=bbf42b1e5e9b49a8cdf193f9c7fe230d0d290543
>
> Cookie security considerations:
> https://code.google.com/p/key-pinning-draft/source/detail?r=7b4474e7d3666f1aebb3f1bcde69bf552aa65d78
Those look OK to me.
Trevor
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
