Re: [websec] Consensus call: Issue #57 (max-max-age)
"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Sun, 12 May 2013 00:41 UTC
Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EB5E21F859D for <websec@ietfa.amsl.com>; Sat, 11 May 2013 17:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.044
X-Spam-Level:
X-Spam-Status: No, score=-108.044 tagged_above=-999 required=5 tests=[AWL=-2.254, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5uuIXdmuSYm for <websec@ietfa.amsl.com>; Sat, 11 May 2013 17:41:31 -0700 (PDT)
Received: from scintmta02.scbb.aoyama.ac.jp (scintmta02.scbb.aoyama.ac.jp [133.2.253.34]) by ietfa.amsl.com (Postfix) with ESMTP id 3A86E21F856D for <websec@ietf.org>; Sat, 11 May 2013 17:41:30 -0700 (PDT)
Received: from scmse02.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta02.scbb.aoyama.ac.jp (secret/secret) with SMTP id r4C0f8qS022366; Sun, 12 May 2013 09:41:09 +0900
Received: from (unknown [133.2.206.134]) by scmse02.scbb.aoyama.ac.jp with smtp id 3e19_9bdf_a2df121c_ba9c_11e2_9b3b_001e6722eec2; Sun, 12 May 2013 09:41:07 +0900
Received: from [IPv6:::1] (unknown [133.2.210.1]) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id A9837BF4AF; Sun, 12 May 2013 09:40:26 +0900 (JST)
Message-ID: <518EE510.9060600@it.aoyama.ac.jp>
Date: Sun, 12 May 2013 09:40:48 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: Tom Ritter <tom@ritter.vg>
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com>
In-Reply-To: <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 May 2013 00:41:37 -0000
I agree with Tom Ritter, with one caveat: The spec should very clearly call out the issue (balance between too soon pin expiry and too long), rather than not mentioning it. I haven't found such language (i.e. guidance to UA implementers) in the document, but I might have looked in the wrong place (I looked at every piece of text that contained the three letters 'max'). Regards, Martin. On 2013/05/12 5:09, Tom Ritter wrote: > On 7 May 2013 03:13, Yoav Nir<ynir@checkpoint.com> wrote: >> How should we handle the max-max-age issue: >> (1) No hard limits, but allow UAs to limit the pin time. Suggest a month >> (2) Set a hard limit of one month in the RFC. Longer pins are truncated. >> (3) No hard limits, but allow the UA to skip hard-fail if a pin hasn't been observed for some time (like a month) >> (4) Adopt some gradual confidence-building scheme a-la-TACK. >> >> "None of the above" is possible, but MUST come with argument and proposed text. > > > None of the above: No hard limits, leave limiting the pin time > unspecified, make no suggestion. I don't believe any text changes are > necessary. > > I think UAs that are sufficiently worried about websites bricking > themselves come up with creative solutions that work well for them, > but may not be applicable to others. (Chrome's will (or would) expire > hardcoded pins if there hasn't been a Chrome update in a month - they > could do the same for max-ages.) I don't like the idea of suggesting > that UAs unilaterally override a site's possible desire to pin for > more than 1 month. > > -tom. > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- [websec] Consensus call: Issue #57 (max-max-age) Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tom Ritter
- Re: [websec] Consensus call: Issue #57 (max-max-a… Martin J. Dürst
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Ryan Sleevi
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Chris Palmer
- Re: [websec] Consensus call: Issue #57 (max-max-a… Daniel Veditz
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Chris Palmer
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Chris Palmer
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Yoav Nir
- Re: [websec] Consensus call: Issue #57 (max-max-a… Tobias Gondrom
- Re: [websec] Consensus call: Issue #57 (max-max-a… Sheehe, Charles J. (GRC-DPC0)
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin
- Re: [websec] Consensus call: Issue #57 (max-max-a… Sheehe, Charles J. (GRC-DPC0)
- Re: [websec] Consensus call: Issue #57 (max-max-a… Trevor Perrin