Anyone have comments on below? Is there agreement on what PKP-RO should do yet?
On Mon, May 19, 2014 at 11:28 PM, Trevor Perrin <[email protected]> wrote: > On Tue, May 13, 2014 at 2:09 PM, Chris Palmer <[email protected]> wrote: >> >> PKP vs. PKP-RO: >> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9 > > The new text about PKP-RO in 2.5 (quoted below) seems to say that a > PKP-RO header is only evaluated against the current connection, not > stored as a pin. I thought we decided the opposite (which is what I > think 2.3.2 is saying): > > 2.3.2 (existing text): > If a Host sets both the Public-Key-Pins header and the Public-Key- > Pins-Report-Only header, the UA MUST note and enforce Pin Validation > as specified by the Public-Key-Pins header, and SHOULD note the Pins > and directives given in the Public-Key-Pins-Report-Only header. > > 2.5 (new text): > The UA SHOULD NOT note any pins or other policy expressed in the PKP- > RO response header field. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
