Re: [websec] #57: Re-add an upper limit to max-age

Yoav Nir <> Fri, 29 March 2013 01:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E12DF21F84B0 for <>; Thu, 28 Mar 2013 18:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F8DNt2ycIOOK for <>; Thu, 28 Mar 2013 18:33:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9B90821F84A9 for <>; Thu, 28 Mar 2013 18:33:26 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r2T1X2sY018384; Fri, 29 Mar 2013 04:33:02 +0300
X-CheckPoint: {5154ED9D-0-1B221DC2-2FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Fri, 29 Mar 2013 04:33:01 +0300
From: Yoav Nir <>
To: Joseph Bonneau <>
Thread-Topic: [websec] #57: Re-add an upper limit to max-age
Date: Fri, 29 Mar 2013 01:33:01 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>, websec issue tracker <>, "<>" <>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2013 01:33:28 -0000

On Mar 27, 2013, at 7:16 PM, Joseph Bonneau <>

>> So, 30 days, or 60 days, we can argue about. But 1 year might be too
>> long a time — if we decide to have a mandated max max-age, instead of
>> just providing UA implementation advice.
>> Is there consensus that we should mandate a max max-age, or consensus
>> that we should not?
> To me, the question isn't so much about how long sites will want to
> set max-age for, it's "How long would HPKP-browser makers allow a
> domain to be bricked before caving to pressure to add it to some
> whitelist/revocation list?" I think it's inevitable that some
> *will* brick themselves using HPKP (or possibly be bricked
> maliciously) and then come crawling to Chrome (or other implementing
> browsers) asking to be bailed out.

Hopefully, it's not just Google that implements this. I guess any browser that implements this will have some kind of reset button (like they have for other stuff) that will erase all pins. So the site is not really bricked, but still it's pretty embarrassing to have to have a message on their home page like "Chrome for Mac OS X users of, due to an administrative error, please select the 'Clear Browsing Data…' menu item from the Chrome menu, select 'the beginning of time' from the dropdown menu, and check the 'dynamic public key pins' box. Then click 'Clear browsing data'. Sorry for the inconvenience."

> If there were a max-age of 60 days, would the Chrome team take a hard
> line of "Sorry, you'll just have to wait it out"? Or would
> they ship a patch to disables HPKP for, fearing that otherwise
> some users will just switch to another browser to regain access?

I don't think any of us like the answer, but this probably depends on who 'foo' is. You don't brick Gmail, Hotmail, Paypal, or any major bank in the US. ? I don't see any of the major browser issuing a patch to bail them out.

> If the former is more likely, then a max max-age of 60 days is
> reasonable. If the latter is more likely, then I'd argue against
> having a max max-age at all and instead plan to deal with failures in
> a deus ex machina way.