Re: [websec] Re-litigating Key-Pinning

Tobias Gondrom <> Wed, 27 August 2014 10:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B143C1A056D for <>; Wed, 27 Aug 2014 03:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -97.323
X-Spam-Status: No, score=-97.323 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sSATQ5EaUPXk for <>; Wed, 27 Aug 2014 03:29:52 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B04F1A0552 for <>; Wed, 27 Aug 2014 03:29:52 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 0720A62D9D; Wed, 27 Aug 2014 12:29:50 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=DsWT/OF9h3YEd0ECiwzbqN9eZGBe/BvXP1LRJTtafEzX1FtIlkIsproYIODvGvGGdUVrIRieijX3pfAcB+4JHBQ1MyM/AqvgAZjqFBb7ywvklA26W2MkE+6Svwg8u0aOMQRtsxslFjWTmlGVBRgj28k6YqL1HcUiZMW5LYI+KZA=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Message-ID: <>
Date: Wed, 27 Aug 2014 11:29:49 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [websec] Re-litigating Key-Pinning
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Aug 2014 10:29:53 -0000

I agree.

<with WG chair hat on>

On 27/08/14 06:44, Yoav Nir wrote:
> Hi folks
> In the last few days, we’ve had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.
> Fixing editorial issues like Julians’ comments about references is fine, and could even be done *after* IESG review. However, making substantive changes like removing PKP-RO or changing the requirements for processing it cannot be done at this stage. Deciding to do this requires withdrawing the publication request and sending it back to the working group.  I do not think this is advisable.
> The IETF occasionally publishes documents that are imperfect. Such imperfections can be fixed later via errata or -bis documents. For now, I think we should publish the document as it is with the changes agreed upon in discussions with ADs.
> Thanks
> Yoav
> [with chair hat firmly on]
> _______________________________________________
> websec mailing list