RFC Errata
Found 3 records.
Status: Verified (2)
RFC 7469, "Public Key Pinning Extension for HTTP", April 2015
Source of RFC: websec (app)
Errata ID: 4354
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Kirit Saelensminde
Date Reported: 2015-05-04
Verifier Name: Barry Leiba
Date Verified: 2015-05-05
Section 3 says:
As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST either use single- quoted JSON strings or use double-quoted JSON strings and backslash- escape the embedded double quotes in the quoted-string part of the known-pin. .... 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="',
It should say:
As in Section 2.4, the token refers to the algorithm name, and the quoted-string refers to the base64 encoding of the SPKI Fingerprint. When formulating the JSON POST body, the UA MUST use double-quoted JSON strings and backslash-escape the embedded double quotes in the quoted-string part of the known-pin. .... "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"",
Notes:
This RFC seems to think that single quotes are permissible in JSON. This is not the case. See http://tools.ietf.org/html/rfc7159#section-7
Errata ID: 4658
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Jxck
Date Reported: 2016-04-08
Verifier Name: Barry Leiba
Date Verified: 2016-04-08
Section 3. Reporting Pin Validation Failure says:
{ "date-time": "2014-04-06T13:00:50Z", "hostname": "www.example.com", "port": 443, "effective-expiration-date": "2014-05-01T12:40:50Z"
It should say:
{ "date-time": "2014-04-06T13:00:50Z", "hostname": "www.example.com", "port": 443, "effective-expiration-date": "2014-05-01T12:40:50Z",
Notes:
Missing comma after "effective-expiration-date": "2014-05-01T12:40:50Z" in JSON at Figure 8: Pin Validation Failure Report Example
Status: Reported (1)
RFC 7469, "Public Key Pinning Extension for HTTP", April 2015
Source of RFC: websec (app)
Errata ID: 5377
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Julian Reschke
Date Reported: 2018-06-02
Section 2.3.4 says:
2.3.4. HTTP-Equiv <Meta> Element Attribute UAs MUST NOT heed http-equiv="Public-Key-Pins" or http-equiv="Public-Key-Pins-Report-Only" attribute settings on <meta> elements [W3C.REC-html401-19991224] in received content.
It should say:
(remove the section)
Notes:
The spec attempts to make a normative requirement on HTML consumers. It can't do that; that's the role of the HTML spec.
In addition to that, this is already covered by what recent HTML specs say about http-equiv extensibility.