Re: [websec] #57: Re-add an upper limit to max-age
Trevor Perrin <trevp@trevp.net> Fri, 22 March 2013 23:07 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C79D321F85A4 for <websec@ietfa.amsl.com>; Fri, 22 Mar 2013 16:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ6BzUVY9mg5 for <websec@ietfa.amsl.com>; Fri, 22 Mar 2013 16:07:37 -0700 (PDT)
Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54]) by ietfa.amsl.com (Postfix) with ESMTP id 1060221F85A2 for <websec@ietf.org>; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
Received: by mail-wg0-f54.google.com with SMTP id fm10so663817wgb.21 for <websec@ietf.org>; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=33wMwJQshDmrfutRcUOmtNUBxdYYZmfWRjEZbXyAHr4=; b=MsflyUIvAUStzajF8aLZism9jZ5uULQxlmMy4LwsFy3PXqWbummBzfeYzNc4m17pKZ bsRJTZyfs7/cc1Clrbg82LsOIYCMkC3wXbqKeuI4GAfUYNI/emBct3seNbh1qGTjEqCX vjRndQR3V3i9pLsDUKd07ZKWKIgLzuBmSPIQOCRfAWbl5kDfTscaMVQbZbHm18udSnEf IIdPPioJwTyJVw+FHlFwLvPef51Z39sktHlQF9M2EjlwXOvXzEfVsJhX1Vg6mUslo5T8 31pru/L+09KbSc6IFV73xKMMySp0Qq2SM1mnYckPOS3H0FJrWwFohAAb2ivwkz1JI1tW zpJQ==
MIME-Version: 1.0
X-Received: by 10.180.87.170 with SMTP id az10mr5986263wib.3.1363993656154; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
Received: by 10.216.112.7 with HTTP; Fri, 22 Mar 2013 16:07:36 -0700 (PDT)
X-Originating-IP: [166.137.187.253]
In-Reply-To: <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org>
References: <058.4066f40ba1a0e0b17085c25af1721605@trac.tools.ietf.org> <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org>
Date: Fri, 22 Mar 2013 16:07:36 -0700
Message-ID: <CAGZ8ZG1HsW_SgB4OFRDPZT_3rUwsB8yvYxtE+fSpwLfoyrtHyg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: websec issue tracker <trac+websec@trac.tools.ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQnizfzRQdtmI07rQhPp96kHNp5YCHUirmyOu+ASC8C41oR4Td11IsiAPGdcX0NYka4G+d3Y
Cc: websec@ietf.org, sleevi@google.com
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2013 23:07:37 -0000
On Fri, Mar 22, 2013 at 2:39 PM, websec issue tracker <trac+websec@trac.tools.ietf.org> wrote: > #57: Re-add an upper limit to max-age > > > Comment (by palmer@google.com) > > Rather, it was decided that there should be implementation guidance for > setting an upper limit, including discussing the security considerations > /trade-offs of high vs. low maximum max-age values. So this maximum is a "local policy" decided by the UA? It might be good to also have a spec-mandated maximum. There are cases where you (a domain owner) might have unknown pins or bad pins. For example: - you purchased a domain name from someone - the domain name was victimized by domain hijacking or domain squatting - you misconfigured pins for your domain If there's no spec-mandated maximum, then there's no point in time at which all old pins are guaranteed to have been expired, and you can start referring people to this domain safely. With a spec maximum (say 30 days), then you have a clear reference point to plan around. Trevor
- [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Tobias Gondrom
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Chris Palmer
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Ryan Sleevi
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker