Re: [websec] draft-ietf-websec-key-pinning

Tom Ritter <tom@ritter.vg> Tue, 26 August 2014 21:42 UTC

MIME-Version: 1.0
In-Reply-To: <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 26 Aug 2014 16:42:29 -0500
Message-ID: <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/kITkWQxCVXGuew384hLAPBRG89I
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
Precedence: list

On 26 August 2014 16:38, Trevor Perrin <trevp@trevp.net> wrote:
> That's not completely true, because PKP affects Pin Validation of
> other connections, and PKP-RO doesn't.
>
> ...
>
> So Eric's point is valid: PKP-RO doesn't provide an administrator much
> confidence that their site is ready for PKP, and might even mislead
> them.

This is especially true if includeSubdomains is enabled. It'd be
common for that directive to apply to hosts that the -RO header would
not be included on. In PKP-RO, it would not be applied to them; in PKP
it would.

-tom

Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Eric Lawrence
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Chris Palmer
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Chris Palmer
Re: [websec] draft-ietf-websec-key-pinning Chris Palmer
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Eric Lawrence
Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Chris Palmer
Re: [websec] draft-ietf-websec-key-pinning Trevor Perrin
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Chris Palmer
Re: [websec] draft-ietf-websec-key-pinning Joseph Bonneau
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Joseph Bonneau
Re: [websec] draft-ietf-websec-key-pinning Trevor Perrin
Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Yoav Nir
Re: [websec] draft-ietf-websec-key-pinning Tom Ritter
Re: [websec] draft-ietf-websec-key-pinning Eric Lawrence
Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Yoav Nir
Re: [websec] draft-ietf-websec-key-pinning Joseph Bonneau
Re: [websec] draft-ietf-websec-key-pinning Eric Lawrence
Re: [websec] draft-ietf-websec-key-pinning Trevor Perrin
Re: [websec] draft-ietf-websec-key-pinning Trevor Perrin
Re: [websec] draft-ietf-websec-key-pinning Trevor Perrin
Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Ryan Sleevi
Re: [websec] draft-ietf-websec-key-pinning Tobias Gondrom
Re: [websec] draft-ietf-websec-key-pinning Yoav Nir