#53: Clarify status of pin validation when used with private trust anchors
Comment (by pal...@google.com): The current draft has this text: 578 <t>If the connection has no errors, then the UA will determine whether to 579 apply a new, additional correctness check: Pin Validation. A UA SHOULD 580 perform Pin Validation whenever connecting to a Known Pinned Host, but MAY 581 allow Pin Validation to be disabled for Hosts according to local policy. For 582 example, a UA may disable Pin Validation for Pinned Hosts whose validated 583 certificate chain terminates at a user-defined trust anchor, rather than a 584 trust anchor built-in to the UA. However, if the Pinned Host Metadata 585 indicates that the Pinned Host is operating in "strict mode" (see 586 <xref target="strict"/>), then the UA MUST perform Pin Validation.</t> I believe this is the result of previous consensus. Is that correct, and can I therefore close this issue? -- -------------------------------+-------------------------------- Reporter: pal...@google.com | Owner: pal...@google.com Type: defect | Status: assigned Priority: major | Milestone: Component: key-pinning | Version: Severity: - | Resolution: Keywords: | -------------------------------+-------------------------------- Ticket URL: <http://tools.ietf.org/wg/websec/trac/ticket/53#comment:2> websec <http://tools.ietf.org/websec/> _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec