RFC Errata
RFC 7469, "Public Key Pinning Extension for HTTP", April 2015
Source of RFC: websec (app)See Also: RFC 7469 w/ inline errata
Errata ID: 4354
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Kirit Saelensminde
Date Reported: 2015-05-04
Verifier Name: Barry Leiba
Date Verified: 2015-05-05
Section 3 says:
As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST either use single- quoted JSON strings or use double-quoted JSON strings and backslash- escape the embedded double quotes in the quoted-string part of the known-pin. .... 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="',
It should say:
As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST use double-quoted JSON strings and backslash-escape the embedded double quotes in the quoted-string part of the known-pin. .... "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"",
Notes:
This RFC seems to think that single quotes are permissible in JSON. This is not the case. See http://tools.ietf.org/html/rfc7159#section-7