Yea, that is one of the problems with real-world pinning deployment today. If I get something wrong I might lock out users for the max-age they were previously pinned to. Safely being able reset that is compelling. :) Aloha Mike, -- Jim Manico @Manicode (808) 652-3805 On Jan 23, 2015, at 9:44 AM, Mike West <mkwst@google.com> wrote: On Fri, Jan 23, 2015 at 6:38 PM, Jim Manico <jim.manico@owasp.org> wrote: > All I'm saying is that if pinning config can be set via a manifest like > structure vs headers, I'd suggest that headers take precedence. > The csp-pinning proposal (and PKP (and HSTS)) ignores any pin for a host that already has a pin. First one in wins, which is good for security, as it can't be maliciously overridden. Of course, it's bad for flexibility for the same reasons. *shrug* That's a trade off I think we should allow developers to make. Actually, there might be some subtlety here (can't HSTS/PKP turn itself off with a 0 max-age? Chris? Ryan? I didn't see that logic in a quick skim of the RFCs) > > If I'm way off base or being disruptive, let me know off-list and I'll go > back to lurking and popcorn. > Not at all! Feedback/questions are totally welcome! -mikeReceived on Friday, 23 January 2015 17:48:16 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC