>> In the case of installable apps, the information like HSTS and HPKP >> can be placed in the app manifest. Even better, standards like HPKP >> won't need to provide the override because its confused about which >> pinset is the right one to use. Because the HSTS and HPKP information >> was in the manifest during delivery, there will be no question about >> which policy or key to use. > > By "the override", I presume you mean "the ability for a duly authorized > user with administrative access over the machine they own to set policies > for the applications they install", which you've objected to in the past, > in which case, there's no reason at all to assume that the respect for a > user's wishes over that of the developer's would somehow be inverted.
How did I know you would object to an effective security measure that minimized the ability to intercept communications :) I'd also cite the same document and claim that when the user installed the application with the preloaded and *known secure* settings, they would not want them arbitrarily overridden because a standard was confused about which pinset was the right one to use. As you succinctly said, its a Priorities of Constituencies. Jeff _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
