#53: Clarify status of pin validation when used with private trust anchors
Comment (by pal...@google.com):
The current draft has this text:
578 <t>If the connection has no errors, then the UA will determine
whether to
579 apply a new, additional correctness check: Pin Validation. A UA
SHOULD
580 perform Pin Validation whenever connecting to a Known Pinned Host,
but MAY
581 allow Pin Validation to be disabled for Hosts according to local
policy. For
582 example, a UA may disable Pin Validation for Pinned Hosts whose
validated
583 certificate chain terminates at a user-defined trust anchor, rather
than a
584 trust anchor built-in to the UA. However, if the Pinned Host Metadata
585 indicates that the Pinned Host is operating in "strict mode" (see
586 <xref target="strict"/>), then the UA MUST perform Pin
Validation.</t>
I believe this is the result of previous consensus. Is that correct, and
can I therefore close this issue?
--
-------------------------------+--------------------------------
Reporter: pal...@google.com | Owner: pal...@google.com
Type: defect | Status: assigned
Priority: major | Milestone:
Component: key-pinning | Version:
Severity: - | Resolution:
Keywords: |
-------------------------------+--------------------------------
Ticket URL: <http://tools.ietf.org/wg/websec/trac/ticket/53#comment:2>
websec <http://tools.ietf.org/websec/>
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
