#53: Clarify status of pin validation when used with private trust anchors
Clarify in the I-D whether and how, when a the server's certificate chain
chains up to a private trust anchor (as opposed to a publicly-trusted one
such as in Mozilla's or Microsoft's root CA programs), the UA should
perform pin validation. Options:
* If anchor is private, do not perform pin validation
* Always perform pin validation, presumably always failing when trust
anchor is private
* If anchor is private, validate against a database of private pins;
** If there is no DB of private pins, do not perform pin validation
** If there is no DB of private pins, perform pin validation anyway
(presumably always failing)
* Other options?
Currently, Google Chrome opts to not perform pin validation when the trust
anchor is private.
--
-------------------------+----------------------
Reporter: palmer@… | Owner: palmer@…
Type: defect | Status: new
Priority: major | Milestone:
Component: key-pinning | Version:
Severity: - | Keywords:
-------------------------+----------------------
Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/53>
websec <http://tools.ietf.org/websec/>
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
