[websec] PKP-RO (was Re: I-D Action: draft-ietf-websec-key-pinning-12.txt)
Trevor Perrin <trevp@trevp.net> Thu, 05 June 2014 00:49 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9001A03DC for <websec@ietfa.amsl.com>; Wed, 4 Jun 2014 17:49:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id En3XWBzxyH9q for <websec@ietfa.amsl.com>; Wed, 4 Jun 2014 17:48:59 -0700 (PDT)
Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A481A03AB for <websec@ietf.org>; Wed, 4 Jun 2014 17:48:58 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id z12so264245wgg.0 for <websec@ietf.org>; Wed, 04 Jun 2014 17:48:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=LdvsMu6yYMvhhecQbzO2N9Gnh3opgpqkcJlcTvL1VIY=; b=Pfvd+dUS+vGcbqQjlX+rGV/KpAZ8Hv7HC5QQbmYZUnwPRyy7tC75n/5sLl6ix736cz EHSMjNIK/9Meei0/O3l17MFVS/cCHOgL86P3wCaVmljNYSwiEIkC64C3jNQwfACtYejN 3lHWwdt6HZcleqnhkfa6qJgLg9meMYoH8MnXKwoy4qXNzsoHVw1W/qPsKBnqe4i0BtaC aNlsNcItQNjjBbUnEvyMlT8zA43lSZi9h1maFZli/yWbfvU0AOHiGAwjvMLqY/M48JRt T3sFzFV8FyQ/q0oE/H0sU4EdOCuwAlnCwzGBTpPByMk85I5PI0K0OLBnvcZFh7DZ0ktd 5wZQ==
X-Gm-Message-State: ALoCoQnV4ikKt2RmCLJugUdMXSQN1lnIXoUg7XnVelRlhu+0X+CzRvhRcHcC4N8eegRVcKuXNZzh
MIME-Version: 1.0
X-Received: by 10.180.221.163 with SMTP id qf3mr10440245wic.56.1401929331695; Wed, 04 Jun 2014 17:48:51 -0700 (PDT)
Received: by 10.216.155.7 with HTTP; Wed, 4 Jun 2014 17:48:51 -0700 (PDT)
X-Originating-IP: [12.27.66.7]
Date: Wed, 04 Jun 2014 17:48:51 -0700
Message-ID: <CAGZ8ZG1L3nKKv41=GLW62pUA+MeFXvhWn28d=rOXtJmxydG7wQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/yYnltxEdL97VMX43CUJlO1oMTHM
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] PKP-RO (was Re: I-D Action: draft-ietf-websec-key-pinning-12.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 00:49:01 -0000
Anyone have comments on below? Is there agreement on what PKP-RO should do yet? On Mon, May 19, 2014 at 11:28 PM, Trevor Perrin <trevp@trevp.net> wrote: > On Tue, May 13, 2014 at 2:09 PM, Chris Palmer <palmer@google.com> wrote: >> >> PKP vs. PKP-RO: >> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9 > > The new text about PKP-RO in 2.5 (quoted below) seems to say that a > PKP-RO header is only evaluated against the current connection, not > stored as a pin. I thought we decided the opposite (which is what I > think 2.3.2 is saying): > > 2.3.2 (existing text): > If a Host sets both the Public-Key-Pins header and the Public-Key- > Pins-Report-Only header, the UA MUST note and enforce Pin Validation > as specified by the Public-Key-Pins header, and SHOULD note the Pins > and directives given in the Public-Key-Pins-Report-Only header. > > 2.5 (new text): > The UA SHOULD NOT note any pins or other policy expressed in the PKP- > RO response header field. Trevor
- [websec] PKP-RO (was Re: I-D Action: draft-ietf-w… Trevor Perrin
- Re: [websec] PKP-RO (was Re: I-D Action: draft-ie… Chris Palmer