Section 2.7 states: UAs MAY choose to implement additional sources of pinning information, such as through built-in lists of pinning information. Such UAs should allow users to override such additional sources, including disabling them from consideration.
>From section 2.7, I understand a _user_ can provide an override to a _preloaded_ pinset. But I don't see where a user is provided the authority to override a non-preloaded pinset. And I don't see where an external entity is provided authority to override a preloaded or non-preloaded pinset. Is this correct? If correct, shouldn't the user be allowed to override both preloaded and non-preloaded pinsets? If correct, won't that break Chrome with respect to http://www.imperialviolet.org/2011/05/04/pinning.html (see section "What about MITM proxies, Fiddler etc?")? _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
