On Fri, November 29, 2013 2:50 pm, Tom Ritter wrote: > On 29 November 2013 17:39, Trevor Perrin <tr...@trevp.net> wrote: > > > On Fri, Nov 29, 2013 at 2:15 PM, Tom Ritter <t...@ritter.vg> wrote: > > > On 29 November 2013 15:24, Trevor Perrin <tr...@trevp.net> wrote: > > >> > > >> * Why is there a "Public-Key-Pins-Report-Only" header instead of a > > >> "report-only" directive? Most of the document is written as if there > > >> was a single "PKP header field", so a directive would make more > > sense. > > > > > > > > > If it becomes a directive, we should be sure that we can still apply > > two > > > headers, one more loose in enforcing mode, one stricter in report only > > mode. > > > > Would you expect both headers to be noted? > > > > The current spec doesn't support that. It specifies 2 different (and > > incompatible) ways of handling this case: > > > > - 2.1.3: "If a Host sets both the Public-Key-Pins header and the > > Public-Key- > > Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and > > MUST note only the pins and directives given in the Public-Key-Pins- > > Report-Only header." > > > > - 2.3.1: "If a UA receives more than one PKP header field in an HTTP > > response message over secure transport, then the UA MUST > > process only the first such header field." > > > > > Oh yea. Heh. Why is that? CSP supports an enforcing header and a > reporting header, and both of them are applied simultaneously. I would > expect the same from HPKP. > > -tom > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
Spec bug. I'll see about getting that fixed. The PKP + PKP-Report-Only mode are meant to be parallel to their concepts from CSP. That is, the PKP-Report-Only directive is not enforced, but if a PKP header is present, or PKPs are noted from previous, they are still enforced. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
