Interesting question. IMO (no hats) the answer should be no. If the UA has disabled pin validation (as section 2.6 says it may) then it should not send reports either.
Yoav On May 21, 2014, at 8:16 AM, Igor Bukanov <[email protected]> wrote: > It is not clear from draft-ietf-websec-key-pinning how reporting > interacts with a user-defined policy or with a disabled pin > validation. > > For example, if UA allows to proceed for connections with a locally > installed certificate on a pin mismatch, should the report still be > generated? > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
