On Aug 28, 2014, at 3:40 PM, Julian Reschke <[email protected]> wrote:
> On 2014-08-28 10:01, Yoav Nir wrote: >> >> On Aug 28, 2014, at 9:07 AM, Julian Reschke <[email protected]> >> wrote: >> >>> On 2014-08-27 07:44, Yoav Nir wrote: >>>> ... >>>> Fixing editorial issues like Julians’ comments about references is fine, >>>> and could even be done *after* IESG review. ... >>>> ... >>> >>> FWIW, I believe the ABNF issues (which are *not* editorial) absolutely need >>> to be fixed as well. >>> >> >> Hi, Julian >> >> I don’t want to nit-pick the meaning of the word “editorial”. But anyone >> who’s read the draft knows what a PKP header looks like. I don’t think >> there’s any controversy about what is and is not a valid PKP header. So >> changing the ABNF to reflect this existing understanding, is something that >> I don’t think requires polling the group. >> ... > > The issue is that the ABNF is ambiguous about whether > > Public-Key-Pins: max-age=3000; > pin-xyz=abc; > > is syntactically valid or not. I believe it should be, because otherwise > parsers would need to special-case the "pin-*" parameters when parsing. > > Best regards, Julian Well, this might lead to me being proven wrong in my statement that everyone agrees what a valid PKP header is, but I also think this should be syntactically valid. However, clients that only support *this* document (and not “xyz and its use in key pinning”) would not pin anything based on this header. Yoav
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
