The IESG has received a request from the Web Security WG (websec) to
consider the following document:
- 'Public Key Pinning Extension for HTTP'
<draft-ietf-websec-key-pinning-19.txt> as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2014-08-01. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
Abstract
This document describes an extension to the HTTP protocol allowing
web host operators to instruct user agents to remember ("pin") the
hosts' cryptographic identities for a given period of time. During
that time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose
fingerprint matches one of the pinned fingerprints for that host. By
effectively reducing the number of authorities who can authenticate
the domain during the lifetime of the pin, pinning may reduce the
incidence of man-in-the-middle attacks due to compromised
Certification Authorities.
The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ballot/
No IPR declarations have been submitted directly on this I-D.
