AnsweredAssumed Answered

Public Key Pinning without a backup pin should be warned

Question asked by hellotls on Jan 24, 2015
Latest reply on Jun 29, 2015 by Ivan Ristić

draft-ietf-websec-key-pinning-21 - Public Key Pinning Extension for HTTP Section 2.5 "Noting Pins" requires the server to set a backup pin:

      The given set of Pins contains at least one Pin that does NOT

      refer to an SPKI in the certificate chain.  (That is, the host

      must set a Backup Pin; see Section 4.3.)


An example is Qualys SSL Labs - Projects / SSL Server Test /, which only sets one pin. I think it's better to give it a warning, rather than a green "Yes".