The IESG has approved the following document: - 'Public Key Pinning Extension for HTTP' (draft-ietf-websec-key-pinning-21.txt) as Proposed Standard This document is the product of the Web Security Working Group. The IESG contact persons are Barry Leiba and Pete Resnick. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ Technical Summary This spec describes an extension to the HTTP protocol allowing web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities for a given period of time. During that time, UAs will require that the host present a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities. Review and Consensus Previous versions of this document received useful reviews on the mailing list. Many changes were introduced due to working group consensus, including to pin format, an includeSubdomains directive, and interaction with private trust anchors. Some changes were proposed and rejected by the working group, most notably named pins, a "strict" directive, and hard limits on the max-age directive. The consensus on these involved a long and hard discussion, but as chairs, Tobias and I believe that it is a regular rather than rough consensus. Two issues that were left for last were the interaction of pre-loaded pins with noted pins, and the processing of report-only pins. There was a lot of controversy and a lot of back-and-forth about these issues. We believe that the current drafts represents the working group's consensus, although at least one participant would have preferred a different outcome. Personnel Yoav Nir is the document shepherd. Barry Leiba is the responsible Area Director.