I don't know IETF procedure for making changes, but one of the outstanding issues I don't think has been resolved with draft-ietf-websec-key-pinning-02 is inherited DSA parameters. I raised this issue here: http://www.ietf.org/mail-archive/web/websec/current/msg01027.html with suggested verbiage.
-tom On 11 August 2012 16:37, Yoav Nir <y...@checkpoint.com> wrote: > Hi Chris > > I've removed SAAG from CC, trimmed most of your message, and re-arranged the > rest. Hope you don't mind… > > On Aug 11, 2012, at 1:20 AM, Chris Palmer wrote: > >> Additionally, HPKP and TACK might converge, more or less. I have plans >> to publish a new HPKP I-D that borrows some of TACK's pin activation >> and expiration ideas, for example. > > <hat type="chair"> > > Just as a reminder, HPKP is now a working group draft. As such, change > control is with the WG. Changes that change the rules for activation and > expiration should be proposed and discussed on the list first. > > Having said that, we are pretty far from last call on key-pinning, so I think > it would be OK to publish a version -03 with such proposed changes, as long > as those changes are clearly marked as not being the result of WG consensus. > </hat> > > As an individual, I understand the limitations of the "spare public key" > approach of the current HPKP. It's an administrative hassle to generate n > spare keys and keep them safe, and if you have n+1 key compromise events > within the max-age time, your site is blocked. But it does have the big > advantage that the server side can be deployed *now* with no additional > software. Until I see how those borrowed ideas can help with these issues, I > prefer HPKP. > >> So ultimately I do think we should decide on either HPKP or TACK, but >> that we should make that decision after there has been some real-world >> deployment experience with both (or, sadly, real-world non-deployment >> of one or both). > > Well, there's WG deciding, and there's the market deciding. The IETF can > publish both approaches (as either proposed standard or experimental) and the > one (if any) that the market prefers can later be upgraded to standard (or it > can stay at proposed anyway) > > Yoav > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
