On Fri, August 29, 2014 8:43 am, Gervase Markham wrote: > On 28/08/14 17:20, Camilo Viecco wrote: > > 1. The PKP-RO header is not really useful, it might help on initial > > deployment of PKP but it cannot really be tested when it really matters > > most when you are actually changing certificates. > > Why not? Why would it not be possible to deploy a PKP-RO and then change > your certificates? > > > 2. Storing more data for websites for no benefit for the user seems like > > a no-go (specially given concerns on mobile) therefore until proved > > wrong the pkp-ro will be done for session only. > > Is the amount of data involved expected to be significant in size? > > > 3. To simplify development we will initially limit PKP-RO only to the > > current connection. (no initial storage of PKP-RO) > > Isn't it simpler for development to treat the headers as identical apart > from in the actual display of the error? > > Gerv >
Not what the current (post-LC) spec says. If Mozilla has strong feelings, it would be useful to continue the discussion in the IETF WebSec group, and the broader question of "Should the spec be withdrawn from the queue to accommodate this" be answered. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
