Re: [websec] #57: Re-add an upper limit to max-age

Trevor Perrin <trevp@trevp.net> Fri, 22 March 2013 23:07 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C79D321F85A4 for <websec@ietfa.amsl.com>; Fri, 22 Mar 2013 16:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ6BzUVY9mg5 for <websec@ietfa.amsl.com>; Fri, 22 Mar 2013 16:07:37 -0700 (PDT)
Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54]) by ietfa.amsl.com (Postfix) with ESMTP id 1060221F85A2 for <websec@ietf.org>; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
Received: by mail-wg0-f54.google.com with SMTP id fm10so663817wgb.21 for <websec@ietf.org>; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=33wMwJQshDmrfutRcUOmtNUBxdYYZmfWRjEZbXyAHr4=; b=MsflyUIvAUStzajF8aLZism9jZ5uULQxlmMy4LwsFy3PXqWbummBzfeYzNc4m17pKZ bsRJTZyfs7/cc1Clrbg82LsOIYCMkC3wXbqKeuI4GAfUYNI/emBct3seNbh1qGTjEqCX vjRndQR3V3i9pLsDUKd07ZKWKIgLzuBmSPIQOCRfAWbl5kDfTscaMVQbZbHm18udSnEf IIdPPioJwTyJVw+FHlFwLvPef51Z39sktHlQF9M2EjlwXOvXzEfVsJhX1Vg6mUslo5T8 31pru/L+09KbSc6IFV73xKMMySp0Qq2SM1mnYckPOS3H0FJrWwFohAAb2ivwkz1JI1tW zpJQ==
MIME-Version: 1.0
X-Received: by 10.180.87.170 with SMTP id az10mr5986263wib.3.1363993656154; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
Received: by 10.216.112.7 with HTTP; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
X-Originating-IP: [166.137.187.253]
In-Reply-To: <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org>
References: <058.4066f40ba1a0e0b17085c25af1721605@trac.tools.ietf.org> <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org>
Date: Fri, 22 Mar 2013 16:07:36 -0700
Message-ID: <CAGZ8ZG1HsW_SgB4OFRDPZT_3rUwsB8yvYxtE+fSpwLfoyrtHyg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: websec issue tracker <trac+websec@trac.tools.ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnizfzRQdtmI07rQhPp96kHNp5YCHUirmyOu+ASC8C41oR4Td11IsiAPGdcX0NYka4G+d3Y
Cc: websec@ietf.org, sleevi@google.com
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2013 23:07:37 -0000

On Fri, Mar 22, 2013 at 2:39 PM, websec issue tracker
<trac+websec@trac.tools.ietf.org> wrote:
> #57: Re-add an upper limit to max-age
>
>
> Comment (by palmer@google.com):
>
>  Rather, it was decided that there should be implementation guidance for
>  setting an upper limit, including discussing the security considerations
>  /trade-offs of high vs. low maximum max-age values.

So this maximum is a "local policy" decided by the UA?

It might be good to also have a spec-mandated maximum.

There are cases where you (a domain owner) might have unknown pins or
bad pins.  For example:
 - you purchased a domain name from someone
 - the domain name was victimized by domain hijacking or domain squatting
 - you misconfigured pins for your domain

If there's no spec-mandated maximum, then there's no point in time at
which all old pins are guaranteed to have been expired, and you can
start referring people to this domain safely.

With a spec maximum (say 30 days), then you have a clear reference
point to plan around.


Trevor