|
|
|
|
|
|
by btown
3354 days ago
|
|
|
Presumably there is a manual process to ask browser maintainers to invalidate fraudulent pins. Hell, list maintainers could charge a processing fee to ensure manual review of each case, and frequent update cycles that don't require browser restarts. The spec makes this possible but not necessary or even outlined, which I think is an oversight. UAs MAY choose to implement additional sources of pinning
information, such as through built-in lists of pinning information.
Such UAs should allow users to override such additional sources,
including disabling them from consideration.
The effective policy for a Known Pinned Host that has both built-in
Pins and Pins from previously observed PKP header response fields is
implementation-defined.
https://tools.ietf.org/html/rfc7469#section-2.1 |
|
|