Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning

Yoav Nir <> Tue, 19 August 2014 15:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7302B1A03C8; Tue, 19 Aug 2014 08:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GIFFf4xzHLjK; Tue, 19 Aug 2014 08:37:51 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F249D1A03BD; Tue, 19 Aug 2014 08:37:50 -0700 (PDT)
Received: by with SMTP id hi2so5631876wib.16 for <multiple recipients>; Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=rFzGffZPxRmXM5P8wvytzZMJbTgKJVKNso/VmpfZKXg=; b=AA3ZZdgQeZlHYSEqhl5NkdAJrZTxXBfo9916em4qcNgGw9Di7DsxUt1it1EKUVngsd hYKryL6j74GSC2h0rUAclrn/sCVkYRUd2Q9R8WYzvzKFMVAgOpWfZQp7uszrGLXGdqqe a3ztwf6uEbL1kl5yOe1JXU0dM4x6MeeJbZM65agNHU64xSP5n+ulddw5PAhCwMPlNWPV 6GUuGIOGzMPKTInwjh8Vx5DIKU1ONa9gBKDi5Tt6sJs0dQpgOPuF9Vo8KF+5EgPgJykC PBoKZ0uql3S3VqU0tvw3p0V4Dn2VgJEIzxgrVRrDoDLA6rVgOhOELa6E9k3shodb5y+C 6Nmw==
X-Received: by with SMTP id mv3mr7739937wic.15.1408462669655; Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id lj18sm13796147wic.8.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_65686F5C-010E-4F79-B88E-7B38796AE5FC"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Tue, 19 Aug 2014 18:37:46 +0300
Message-Id: <>
References: <> <>
To: Ryan Sleevi <>
X-Mailer: Apple Mail (2.1878.6)
Cc:, Barry Leiba <>, "<>" <>, The IESG <>
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Aug 2014 15:37:52 -0000

What Barry and Tobias said. 


On Aug 14, 2014, at 7:20 PM, Ryan Sleevi <> wrote:
> In addition to these poibts, the feedback/recent errata from Eric Lawrence regarding HSTS is also extremely relevant to the discussion of HPKP, and we were waiting to see what actions, if any, the WG takes regarding that draft, lest we find ourselves immediately writing a bis to deal with those same points.
I don’t know what is going to come of the issue that Eric found. It’s entirely possible that nothing will come out of it, or that we’ll have a document updating HSTS, or that we’ll have a document profiling the deployment of HSTS.

Either way, this will require more discussion either in this working group or elsewhere. If we wanted to make a change like this to HPKP, that would require pulling the publication request and sending the document back to the working group. I don’t think any of us wants that.

So, I think you should make all the necessary changes regardless of Eric’s issue, so that we can progress HPKP. If that issue later leads to a new RFC, it can update and/or profile HPKP at the same time as it does HSTS.

This should not impede our progress.