FYI, I added the proposed text: https://code.google.com/p/key-pinning-draft/source/detail?r=c30017eb14428df9d094a32ba46196245bdc5fe1
On Tue, May 27, 2014 at 11:03 PM, Igor Bukanov <[email protected]> wrote: > This is somewhat related to the question if a website in general > should be allowed to know if the user uses non-approved certificate > that is installed on her device. This is important if one considers a > possibility of using social engineering to trick the user to install a > new certificate authority that allows to perform MTM attacks. I know > banks worry about that. > > However, allowing such knowledge to websites has a privacy > implications. Besides social engineering arguments are weak as a user > can be just as well tricked to install a special browser that skips > any ssl checks. So the proposed text change is good. > > On 27 May 2014 20:28, Chris Palmer <[email protected]> wrote: >> On Thu, May 22, 2014 at 12:49 AM, Yoav Nir <[email protected]> wrote: >> >>> Interesting question. IMO (no hats) the answer should be no. If the UA has >>> disabled pin validation (as section 2.6 says it may) then it should not >>> send reports either. >> >> Thanks for raising the question, Igor. I am inclined to agree with >> Yoav. Anyone else have thoughts? >> >> Is section 2.6 a good place to put a note about this issue? Proposed text: >> >> """ >> If Pin Validation is not in effect (e.g. because the user has elected >> to disable it, or because a presented certificate chain chains up to a >> locally-installed anchor), and if the server has set a report-uri in a >> PKP or PKP-RO header, the UA SHOULD NOT send any reports to the >> report-uri for the given certificate chain. >> """ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
