#53: Clarify status of pin validation when used with private trust anchors Clarify in the I-D whether and how, when a the server's certificate chain chains up to a private trust anchor (as opposed to a publicly-trusted one such as in Mozilla's or Microsoft's root CA programs), the UA should perform pin validation. Options:
* If anchor is private, do not perform pin validation * Always perform pin validation, presumably always failing when trust anchor is private * If anchor is private, validate against a database of private pins; ** If there is no DB of private pins, do not perform pin validation ** If there is no DB of private pins, perform pin validation anyway (presumably always failing) * Other options? Currently, Google Chrome opts to not perform pin validation when the trust anchor is private. -- -------------------------+---------------------- Reporter: palmer@… | Owner: palmer@… Type: defect | Status: new Priority: major | Milestone: Component: key-pinning | Version: Severity: - | Keywords: -------------------------+---------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/53> websec <http://tools.ietf.org/websec/> _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec