This is somewhat related to the question if a website in general should be allowed to know if the user uses non-approved certificate that is installed on her device. This is important if one considers a possibility of using social engineering to trick the user to install a new certificate authority that allows to perform MTM attacks. I know banks worry about that.
However, allowing such knowledge to websites has a privacy implications. Besides social engineering arguments are weak as a user can be just as well tricked to install a special browser that skips any ssl checks. So the proposed text change is good. On 27 May 2014 20:28, Chris Palmer <[email protected]> wrote: > On Thu, May 22, 2014 at 12:49 AM, Yoav Nir <[email protected]> wrote: > >> Interesting question. IMO (no hats) the answer should be no. If the UA has >> disabled pin validation (as section 2.6 says it may) then it should not send >> reports either. > > Thanks for raising the question, Igor. I am inclined to agree with > Yoav. Anyone else have thoughts? > > Is section 2.6 a good place to put a note about this issue? Proposed text: > > """ > If Pin Validation is not in effect (e.g. because the user has elected > to disable it, or because a presented certificate chain chains up to a > locally-installed anchor), and if the server has set a report-uri in a > PKP or PKP-RO header, the UA SHOULD NOT send any reports to the > report-uri for the given certificate chain. > """ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
