On Thu, Oct 18, 2012 at 4:56 PM, websec issue tracker <trac+web...@trac.tools.ietf.org> wrote:
> #54: Specify a report-only mode > > Should there be a "report-only" mode, allowing site operators to see how > using HPKP would affect their site's operation in browsers supporting > HPKP? (Probably.) > > If so, specify how that mode would work. What are people's thoughts on this? The motivation for a report-only mode is twofold: (1) site operators want to see what would happen before going live with pinning; and (2) site operators often don't know all their keys, or all their intermediate signers' keys, or all their trust anchors' keys, and a reporting mode could help them find out. (2) implies that the reporting interface would have to allow the UA to tell the site not just "pin validation succeeded/failed", but also why (probably by simply reporting the entire validated certificate chain that the UA computed/observed). The reporting interface must be one that is easy for site operators to implement — writing code to collect the reports should not be a huge burden for developers. Perhaps a simple JSON blob: { "pin-validation-succeeded": (true|false), "expected-pins": [ "sha1/blahblah", "sha256/foobar", ... ], "validated-chain": [ "PEM blob of EE", "PEM blob of intermediate", ..., "PEM blob of anchor" ] } The next issue is, should the site be able to specify a URL to which the UA will POST the JSON blob, or should we specify a single, well-known URL path? Using a well-known path seems simpler and less error-prone generally. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec