Thanks, Carl A new revisions is anyways needed because of DISCUSS ballots during IESG review, so these nits can be solved a the same time.
Yoav On Aug 16, 2014, at 1:02 AM, Mehner, Carl <[email protected]> wrote: > Sorry for the late, last minute review. I found one capitalization nit, one > issue, and one personal-opinion-based nit. > > > > Section 2.1; The first word of the sentence should be capitalized. > Old: > . token and quoted-string are used > New: > . Token and quoted-string are used > > > > Section 4.2 > Public-Key-Pins: pin-sha256="GHI..."; pin-sha256="JKL..." > > This is not a valid Pinning Header as is stated due to it missing the > REQUIRED max-age directive. > > I recommend changing to: > Public-Key-Pins: max-age=12000; pin-sha256="GHI..."; pin-sha256="JKL..." > > > > Appendix A: > I understand the POSIX shell may be desirable for some, but openssl is used > for everything except for the very last command here. Therefore, I think that > it would make more sense to just have the whole thing be openssl commands so > that Windows users will also be able to create key pins locally using the > direct commands from the draft. > Old: > This POSIX shell program generates SPKI Fingerprints... > ... > openssl dgst -sha256 -binary public.key | base64 > New: > This OpenSSL command generates SPKI Fingerprints... > ... > openssl dgst -sha256 -binary public.key | openssl enc -base64 > > > -cem > >> -----Original Message----- >> From: websec [mailto:[email protected]] On Behalf Of internet- >> [email protected] >> Sent: Thursday, August 07, 2014 1:12 PM >> To: [email protected] >> Cc: [email protected] >> Subject: EXTERNAL: [websec] I-D Action: draft-ietf-websec-key-pinning- >> 20.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Security Working Group of the >> IETF. >> >> Title : Public Key Pinning Extension for HTTP >> Authors : Chris Evans >> Chris Palmer >> Ryan Sleevi >> Filename : draft-ietf-websec-key-pinning-20.txt >> Pages : 26 >> Date : 2014-08-07 >> >> Abstract: >> This document describes an extension to the HTTP protocol allowing >> web host operators to instruct user agents to remember ("pin") the >> hosts' cryptographic identities for a given period of time. During >> that time, UAs will require that the host present a certificate >> chain >> including at least one Subject Public Key Info structure whose >> fingerprint matches one of the pinned fingerprints for that host. >> By >> effectively reducing the number of authorities who can authenticate >> the domain during the lifetime of the pin, pinning may reduce the >> incidence of man-in-the-middle attacks due to compromised >> Certification Authorities. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20 >> >> A diff from the previous version is available at: >> http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
