It is not clear from draft-ietf-websec-key-pinning how reporting interacts with a user-defined policy or with a disabled pin validation.
For example, if UA allows to proceed for connections with a locally installed certificate on a pin mismatch, should the report still be generated? _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
