W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC to publish FPWD of CSP Pinning; deadline Feb. 9th

From: Mike West <mkwst@google.com>
Date: Mon, 16 Feb 2015 17:05:21 +0100
Message-ID: <CAKXHy=euV1H2+DRnnsMTS=rHm=mVwitqEewXBfQcff0dBoG-qg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>
Let's extend this CfC to next week's call as well. The only actionable
feedback has been Brian's questions around whether this is something
we should be focusing on[1]. I hope I've responded to that adequately,
but delaying publication until there's more positive response seems
prudent.

In the meantime, I've updated
https://w3c.github.io/webappsec/specs/csp-pinning/published/2015-02-FPWD.html
a bit. Feedback welcome. :)

[1]: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0223.html
[2]: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0246.html

-mike
--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Feb 10, 2015 at 10:36 AM, Mike West <mkwst@google.com> wrote:
> On Mon, Feb 2, 2015 at 11:05 AM, Mike West <mkwst@google.com> wrote:
>>
>> This is a call for consensus to publish the following draft of "CSP
>> Pinning" as a First Public Working Draft:
>>
>>
>> https://w3c.github.io/webappsec/specs/csp-pinning/published/2015-02-FPWD.html
>>
>> This document defines a new HTTP header that allows authors to instruct
>> user agents to remember ("pin") and enforce a Content Security Policy for a
>> set of hosts for a period of time.
>>
>> There's still work to be done, but I believe the document clearly falls
>> under the group's charter, and is ready for initial publication. Do you
>> agree? Please send any and all comments to public-webappsec@w3.org. This CfC
>> will end with our next call, on February 9th, 2015.
>
>
> No news is good news, right? Given the conversation on the other threads,
> I'd say that folks are generally positive about this kind of mechanism (Brad
> in particular claimed that Facebook would find it useful), and that Brian is
> skeptical of both the mechanic and the value proposition.
>
> I've updated the draft at
> https://w3c.github.io/webappsec/specs/csp-pinning/published/2015-02-FPWD.html.
> Wendy, Brad, Dan, WDYT about proceeding with a publication request? I think
> it's worthwhile, but it's not clear whether silence on the list represents
> consensus or paralysis. :)
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 16 February 2015 16:06:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC