On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau <jbonn...@gmail.com> wrote: >> >> I'd like PKP-RO to be cached like PKP and applied the same way, absent >> the connection termination (preference). After I realized the >> includeSubdomains issue (concern), I want it even more for testing a >> deployment than I want it for my prior attack detection arguments >> (preference). > > > My email wasn't very clear but I would also prefer this policy
I'd prefer this as well. To be even clearer, I think the browser should treat PKP and PKP-RO headers independently. I.e., the browser should maintain separate stores for PKP and PKP-RO data. PKP headers only affect the PKP store, and PKP-RO headers only affect the PKP-RO store. (For example, PKP max-age=0 doesn't clear PKP-RO, and vice versa). A browser implementing this probably already has separate stores for HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems reasonable to implement. Trevor _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
