W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC to publish FPWD of CSP Pinning; deadline Feb. 9th

From: Mike West <mkwst@google.com>
Date: Tue, 10 Feb 2015 10:36:20 +0100
Message-ID: <CAKXHy=fUprmjCTXpSGvj9tUS7Y9+3k2vD+x-9_EJpv_VCkYrbw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>
On Mon, Feb 2, 2015 at 11:05 AM, Mike West <mkwst@google.com> wrote:

> This is a call for consensus to publish the following draft of "CSP
> Pinning" as a First Public Working Draft:
>
>
> https://w3c.github.io/webappsec/specs/csp-pinning/published/2015-02-FPWD.html
>
> This document defines a new HTTP header that allows authors to instruct
> user agents to remember ("pin") and enforce a Content Security Policy for a
> set of hosts for a period of time.
>
> There's still work to be done, but I believe the document clearly falls
> under the group's charter, and is ready for initial publication. Do you
> agree? Please send any and all comments to public-webappsec@w3.org. This
> CfC will end with our next call, on February 9th, 2015.
>

No news is good news, right? Given the conversation on the other threads,
I'd say that folks are generally positive about this kind of mechanism
(Brad in particular claimed that Facebook would find it useful), and that
Brian is skeptical of both the mechanic and the value proposition.

I've updated the draft at
https://w3c.github.io/webappsec/specs/csp-pinning/published/2015-02-FPWD.html.
Wendy, Brad, Dan, WDYT about proceeding with a publication request? I think
it's worthwhile, but it's not clear whether silence on the list represents
consensus or paralysis. :)

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 10 February 2015 09:37:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC