Sorry for the late, last minute review. I found one capitalization nit, one issue, and one personal-opinion-based nit.
Section 2.1; The first word of the sentence should be capitalized. Old: . token and quoted-string are used New: . Token and quoted-string are used Section 4.2 Public-Key-Pins: pin-sha256="GHI..."; pin-sha256="JKL..." This is not a valid Pinning Header as is stated due to it missing the REQUIRED max-age directive. I recommend changing to: Public-Key-Pins: max-age=12000; pin-sha256="GHI..."; pin-sha256="JKL..." Appendix A: I understand the POSIX shell may be desirable for some, but openssl is used for everything except for the very last command here. Therefore, I think that it would make more sense to just have the whole thing be openssl commands so that Windows users will also be able to create key pins locally using the direct commands from the draft. Old: This POSIX shell program generates SPKI Fingerprints... ... openssl dgst -sha256 -binary public.key | base64 New: This OpenSSL command generates SPKI Fingerprints... ... openssl dgst -sha256 -binary public.key | openssl enc -base64 -cem > -----Original Message----- > From: websec [mailto:[email protected]] On Behalf Of internet- > [email protected] > Sent: Thursday, August 07, 2014 1:12 PM > To: [email protected] > Cc: [email protected] > Subject: EXTERNAL: [websec] I-D Action: draft-ietf-websec-key-pinning- > 20.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Security Working Group of the > IETF. > > Title : Public Key Pinning Extension for HTTP > Authors : Chris Evans > Chris Palmer > Ryan Sleevi > Filename : draft-ietf-websec-key-pinning-20.txt > Pages : 26 > Date : 2014-08-07 > > Abstract: > This document describes an extension to the HTTP protocol allowing > web host operators to instruct user agents to remember ("pin") the > hosts' cryptographic identities for a given period of time. During > that time, UAs will require that the host present a certificate > chain > including at least one Subject Public Key Info structure whose > fingerprint matches one of the pinned fingerprints for that host. > By > effectively reducing the number of authorities who can authenticate > the domain during the lifetime of the pin, pinning may reduce the > incidence of man-in-the-middle attacks due to compromised > Certification Authorities. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
