On Wed, Apr 8, 2015 at 6:00 PM, Phillip Hallam-Baker <[email protected]> wrote: > http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 > > It is a pretty straightforward proposal: > > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field > > There are a few differences in interpretation. All we are trying to do > here is to help people to close the 'secure after first use' hole, not > replace. > > Given that we have quite a bit of use of HSTS headers, providing a > mechanism for publishing this in the DNS looks like being the obvious > approach. >
A quick question.... > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field This is obviously predicated on an online app and DNS. Is there any interest in Installable Web Apps delivered over a trusted distribution channel? Installable Web Apps are simply web apps with a manifest that are packaged and installed like more traditional apps. They still use the same technologies, like HTML, CSS and JavaScript. The trusted distribution channel ensures the app is not tampered during delivery. The class of app is supported by both Firefox and Chrome. In the case of installable apps, the information like HSTS and HPKP can be placed in the app manifest. Even better, standards like HPKP won't need to provide the override because its confused about which pinset is the right one to use. Because the HSTS and HPKP information was in the manifest during delivery, there will be no question about which policy or key to use. Jeff _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
