[
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364147#comment-14364147
]
James Peach commented on TS-3216:
---------------------------------
I don't like this approach, for a number of reasons
- It's based on {{ssl_multicert.config}} configuration, so it is not consistent
with HSTS which is based on {{records.config}}.
- It assumes that there is only 1 backup pin, the backup pin is contained in a
CSR, and that the CSR is available to ATS. All of these assumptions seem shaky
to me.
- There are many HPKP options missing (e.g., {{Public-Key-Pins-Report-Only}},
{{report-url}}) and it's not clear to me that configuring this in
{{ssl_multicert.config}} would be a good approach.
- I really would like to avoid adding more knobs to {{ssl_multicert.config}},
since it is way to complex already.
> Add HPKP (Public Key Pinning Extension for HTTP) support
> --------------------------------------------------------
>
> Key: TS-3216
> URL: https://issues.apache.org/jira/browse/TS-3216
> Project: Traffic Server
> Issue Type: New Feature
> Components: SSL
> Reporter: Masaori Koshiba
> Assignee: James Peach
> Labels: review
> Fix For: 5.3.0
>
> Attachments: hpkp-001.patch, hpkp-002.patch
>
>
> Add "Public Key Pinning Extension for HTTP" Support in Traffic Server.
> Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
> - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
