This document is a product of the WebSec working group intended to be
published as a standards-track RFC. Yoav Nir is the document
shepherd. Barry Leiba is the responsible Area Director.
This memo describes an extension to the HTTP protocol allowing web
host operators to instruct user agents to remember ("pin") the hosts'
cryptographic identities for a given period of time. During that
time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose
fingerprint matches one of the pinned fingerprints for that host. By
effectively reducing the number of authorities who can authenticate
the domain during the lifetime of the pin, pinning may reduce the
incidence of man-in-the-middle attacks due to compromised
Review and Consensus
Previous versions of this document received useful reviews on the
mailing list. Many changes were introduced due to working group
consensus, including to pin format, an includeSubdomains directive,
and interaction with private trust anchors.
Some changes were proposed and rejected by the working group, most
notably named pins, a "strict" directive, and hard limits on the
max-age directive. The consensus on these involved a long and hard
discussion, but as chairs, Tobias and I believe that it is a regular
rather than rough consensus.
Two issues that were left for last were the interaction of pre-loaded
pins with noted pins, and the processing of report-only pins. There
was a lot of controversy and a lot of back-and-forth about these
issues. We believe that the current drafts represents the working
group's consensus, although at least one participant would have
preferred a different outcome.
Each author has confirmed conformance with BCPs 78 and 79.
The document makes a normative reference to
draft-josefsson-pkix-textual-03 for the format of the
served-certificate-chain field in the failure report described in
section 3. The authors of that draft have asked Stephen Farrell to
sponsor the draft, and he will if the people on the PKIX list agree.
The document includes some ABNF in section 2.1. It seems clear enough
but it has not been reviewed by an ABNF doctor.
RFC 6234 - already in downref registry