On 29 November 2013 17:39, Trevor Perrin <tr...@trevp.net> wrote: > On Fri, Nov 29, 2013 at 2:15 PM, Tom Ritter <t...@ritter.vg> wrote: > > On 29 November 2013 15:24, Trevor Perrin <tr...@trevp.net> wrote: > >> > >> * Why is there a "Public-Key-Pins-Report-Only" header instead of a > >> "report-only" directive? Most of the document is written as if there > >> was a single "PKP header field", so a directive would make more sense. > > > > > > If it becomes a directive, we should be sure that we can still apply two > > headers, one more loose in enforcing mode, one stricter in report only > mode. > > Would you expect both headers to be noted? > > The current spec doesn't support that. It specifies 2 different (and > incompatible) ways of handling this case: > > - 2.1.3: "If a Host sets both the Public-Key-Pins header and the > Public-Key- > Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and > MUST note only the pins and directives given in the Public-Key-Pins- > Report-Only header." > > - 2.3.1: "If a UA receives more than one PKP header field in an HTTP > response message over secure transport, then the UA MUST > process only the first such header field." >
Oh yea. Heh. Why is that? CSP supports an enforcing header and a reporting header, and both of them are applied simultaneously. I would expect the same from HPKP. -tom
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec