Sorry it took me a while. See the other thread; I think it's handled reasonably well now?
On Wed, Jun 4, 2014 at 5:48 PM, Trevor Perrin <[email protected]> wrote: > Anyone have comments on below? Is there agreement on what PKP-RO should do > yet? > > > On Mon, May 19, 2014 at 11:28 PM, Trevor Perrin <[email protected]> wrote: >> On Tue, May 13, 2014 at 2:09 PM, Chris Palmer <[email protected]> wrote: >>> >>> PKP vs. PKP-RO: >>> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9 >> >> The new text about PKP-RO in 2.5 (quoted below) seems to say that a >> PKP-RO header is only evaluated against the current connection, not >> stored as a pin. I thought we decided the opposite (which is what I >> think 2.3.2 is saying): >> >> 2.3.2 (existing text): >> If a Host sets both the Public-Key-Pins header and the Public-Key- >> Pins-Report-Only header, the UA MUST note and enforce Pin Validation >> as specified by the Public-Key-Pins header, and SHOULD note the Pins >> and directives given in the Public-Key-Pins-Report-Only header. >> >> 2.5 (new text): >> The UA SHOULD NOT note any pins or other policy expressed in the PKP- >> RO response header field. > > > Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
