Hi, all I know this is late days and all, but something on the httpbis list got me to thinking about this.
Section 2.1.4 defines the "strict" directive. When present, it means that "the UA ... should apply to the Pinned Host the Pinning Policy expressed in the PKP header ... ignoring local client policy." While the text does not say what this local policy might be, the reason for having this was the policy to allow locally-issued certificates to be used for pretty much anything. This policy accommodates TLS proxies. So if a security-minded bank would like to avoid interception even at the cost of being inaccessible from many places of business, they can use the "strict" directive. Now consider two devices. One is a mobile platform, could be a phone or a laptop, that the user carries around from home to work. The other is a desktop computer, that is always at work. The laptop will at some point be used at home to access the bank. The PKP gets noted, and from that point on, the user will not be able to access the bank from work. The desktop computer cannot note the PKP, and will always be able to connect to the bank. Section 2.5 says this: o The UA MUST note the Pins if and only if the TLS connection was authenticated with a certificate chain containing at least one of the SPKI structures indicated by at least one of the given SPKI Fingerprints. This rule is a safety rule, to avoid being injected with bogus PKPs, mostly through misconfiguration of the server. There are other requirements (that TLS be error-free) that make sure it is not done by an attacker (at least, not a non-trusted attacker). I'm wondering if we should remove this requirement from section 2.5 when the "strict" directive is present. IOW, should we allow noting of PKPs with the "strict" directive as long as the TLS connection is valid. I can see how this would make it easy for a TLS proxy to brick the browser, but I'm wondering what others think of the trade-off. Yoav _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec