On Wed, Oct 25, 2017 at 12:21 PM, Roland Zink <rol...@zinks.de> wrote: > It could but RFC 7469 section 2.6 > (https://tools.ietf.org/html/rfc7469#section-2.6) says: > > " It is acceptable to allow Pin > Validation to be disabled for some Hosts according to local policy. > For example, a UA may disable Pin Validation for Pinned Hosts whose > validated certificate chain terminates at a user-defined trust > anchor, rather than a trust anchor built-in to the UA (or underlying > platform)." > > and most browsers seem to follow this mitm exception.
The browsers are also complicit in the coverup. Reporting the broken pinset to the user or site is a "should not", even though organizational policies and regulations may require it. Jeff _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
