IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Chris Palmer <palmer@google.com> Thu, 30 May 2013 00:29 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A1B21F9206 for <websec@ietfa.amsl.com>; Wed, 29 May 2013 17:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Level:
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z56QJNsRtWmY for <websec@ietfa.amsl.com>; Wed, 29 May 2013 17:29:36 -0700 (PDT)
Received: from mail-vc0-f176.google.com (mail-vc0-f176.google.com [209.85.220.176]) by ietfa.amsl.com (Postfix) with ESMTP id 9103821F910D for <websec@ietf.org>; Wed, 29 May 2013 17:29:36 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id ha11so6772711vcb.7 for <websec@ietf.org>; Wed, 29 May 2013 17:29:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Q7th7ZyA/xziN4PSaG2MEz5n6YZSbcAO1ZtnM9TllWc=; b=hVMW1sjvOSk8+6oNDK35a1EP+QOWOzS30ZJaOiKzJkrw+KC/qKOEWzYSXgwNo9r/4E rgkHMPjFVnZPrDqM0x1lEnYzTWmipY+wq2XuwPmM+7FgOnAZE/SVkb3h705njOvM86Ao +zW9uPEJ31p6x8G6X3IIogk1Zio+XG+RjC7N++pLw+82AGejMBwXSmb/OBYekrmnov/y oW2+c6m2yi5mZUeQuPF6ehOeRlPCIbxKikHzjLEH68w6XAumyU1cOUZd52Pzn1KHFGjl +oUDYaOUPY7CWRc36KjSWKABBa3rb95Uxdkoha5TOHHndjF/fre1NgZLzGyG8qZKcA6L DbZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=Q7th7ZyA/xziN4PSaG2MEz5n6YZSbcAO1ZtnM9TllWc=; b=XgvBkdsk5dlGrBiGZGDT99ofJdQ4u6qZojvS3L6uOh81/qYrkUySqf1wWhvmW652cQ mSA3Oe9SrxsgGt7DQQsgBYsG0cbMbrnmZWdiw7rMG8MyjA3VtIPukCLY3APjcjJvYYOK ZtKld3RrzyfHv9gvDaI5xqi2ovwwuotZW4vijrpHGW4jpnasd38SV57/uwFk4b33nfm/ ex9D4idlNHrqbJ1amBwwc4Q2+jmbJuip2YwCD6+dvfwfC/AYCbRxYHmGtMArPRahVeJl IV57j0Id4bWm3sH0GOvpRDgd5MwlZngVgWrX+kShccqRkFsvfQ+jBIXfPdt59lliG8Vs R89A==
MIME-Version: 1.0
X-Received: by 10.52.67.1 with SMTP id j1mr2778344vdt.84.1369873775960; Wed, 29 May 2013 17:29:35 -0700 (PDT)
Received: by 10.220.217.66 with HTTP; Wed, 29 May 2013 17:29:35 -0700 (PDT)
In-Reply-To: <7AD36561-65B4-448C-A371-907B12B75AF1@checkpoint.com>
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com> <519D3254.1040508@gondrom.org> <CAGZ8ZG15ZbjfDcu+bpetvfZxKG1ycW9t1AGuQ+A5cfpfkUAfnw@mail.gmail.com> <CAOuvq237_B1h6mBryP3UHh=auqtUhs93-_oKMSsHOjqSX977bQ@mail.gmail.com> <51A49A5C.5080002@gondrom.org> <CAOuvq20_zACXraV9iN6mUbDwML8GkSCwh9w2Cuow818YOLL-Sw@mail.gmail.com> <7AD36561-65B4-448C-A371-907B12B75AF1@checkpoint.com>
Date: Wed, 29 May 2013 17:29:35 -0700
Message-ID: <CAOuvq23a0BiO5pGDPLLvHY0bZ0JvVrFb7Aq-nGDoBQS_S8HFDw@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnLLSwl820Uu1yQrK+TW45pLE2bzGrLquWoN0KQ1Ope2/oFiWoHCltQWSRw8FT7uW7OcBYFED7lSrRqjyDkcwKDtg2aUgmI3kJdcui46nI8rXxOlFs4Wsoh930twYthWmMYrWtxAM3RnM0FaOZ6mH3DO+Rx0O3BOjb5RVJ0Q1/4OrRz7hbmzoEbjC+TPRV0Sd/KS2Jj
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 00:29:42 -0000

On Tue, May 28, 2013 at 10:16 PM, Yoav Nir <ynir@checkpoint.com> wrote:

> Disagree on that. Banks and other financial institutions are not web technology companies, but they deal with real money and they have real money with which to buy such expertise. It's no coincidence that banks were very early adopters of anti-XSS and anti-CSRF measures, and it's no coincidence that one of this group's biggest contributors works for Paypal, which is no less a financial institution than any bank or credit card companies. If we can't help protect the transactions that involve money, what's the point?

Money is not the only important thing to protect. If HPKP "merely"
protected email or personal messages or social networks, that would
still be pretty awesome — because people often use those systems for
things at least as important as money. (E.g. political speech.) Yes,
of course I want to also protect people's interactions with their
financial institutions.

>> Not exactly; I find Trevor's call for simple clarity compelling, but I
>> also like a browser-determined limit past which we fail open (for the
>> reasons described above). I could happily go either way, which doesn't
>> really help, I realize. :) Ryan and I can just make a call one way or
>> the other and write it up, is that OK?
>
> By "fail open", do you mean fail with a warning to the user, or just silently ignore the pin?

Fail with a warning to the user, as described earlier.

> So I think we should either set no limits, or set hard limits.

I see in a subsequent email, Tobias says:

"""If either "no-limit" and "hard-limit" would both be ok for you (and
others), then I would be strongly in favor of "no-limit"."""

I'll go for no-mandated-limit with suggested-limit.

Other votes?

v2.23.0 | Report a Bug | By Email