Determine if Public-Key-Pins should be allowed as a cached header |
|||||
Issue descriptionAs part of Issue 779166 , support for 'dynamic' HPKP (that is, via the header) is being removed. The HPKP header "Public-Key-Pins" is treated as a non-cachable header, in order to prevent stale information from the cache being used to override more recently observed information (see https://tools.ietf.org/html/rfc7469#section-2.1.2 ) With support for HPKP removed, "Public-Key-Pins" is still treated as a non-cachable header; that is, HPKP is 'understood' to that extent, even if not supported or noted, and not cached. It remains undecided whether it's more appropriate to revert that change, allowing it to be cached and treating the implementation as if HPKP was never implemented, or to leave that part of the change in.
,
Oct 8
(Removing myself as owner; this was filed to track an open question mattm@ had, and I didn't want it to get lost when the bug was closed for removing HPKP as to what the question was in the CL) The simplest answer is that we just remove it from the list of non-cacheable headers. However, that will for sure burn the bridge about re-enabling it in subsequent releases, so I want to make sure we stick the removal. A more complex answer would be to get feedback from Mozilla on their thinking about dynamic HPKP, which they're deferring to do until we stick the landing. So in both cases, it's waiting on us being confident that the code has been excised.
,
Oct 9
,
Oct 9
,
Yesterday
(45 hours ago)
Ryan, Matt: Has your thinking on this moved at all in the meantime (see also https://github.com/httpwg/http-core/issues/165)?
,
Today
(12 hours ago)
The dynamic HPKP removal landed in M72, while stable is still M71, so I think we still need to wait a bit more to be sure the deprecation sticks. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jochen@chromium.org
, Oct 8Status: Assigned (was: Untriaged)