IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 28 May 2013 11:53 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B26721F96DF for <websec@ietfa.amsl.com>; Tue, 28 May 2013 04:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -93.133
X-Spam-Level:
X-Spam-Status: No, score=-93.133 tagged_above=-999 required=5 tests=[AWL=-0.185, BAYES_40=-0.185, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ws7-Qkhtn8Oo for <websec@ietfa.amsl.com>; Tue, 28 May 2013 04:53:52 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 453C921F96DE for <websec@ietf.org>; Tue, 28 May 2013 04:53:51 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=u8EPv5bU4o+xPzkuQf2Jokymo1yvSpsG1/ImZXUxMMFVGIds1505UDVeo/7TjorrThF3xKqrMy2pyh6flL3JPzgdBrDAesg9v6bI53mZLHv2RRBDoxsJ1dzdYwpgWtWb; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 11559 invoked from network); 28 May 2013 13:53:47 +0200
Received: from 188-222-173-238.zone13.bethere.co.uk (HELO ?192.168.1.94?) (188.222.173.238) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 28 May 2013 13:53:47 +0200
Message-ID: <51A49ACA.3070103@gondrom.org>
Date: Tue, 28 May 2013 12:53:46 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: websec@ietf.org
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com> <1A1F4108-B0F3-4742-9DC5-2D8E1E56D7E1@checkpoint.com> <CAGZ8ZG0dtjLQRphcykdewUtx+D3rihtNYp57V2JJ9Ve2OtYBXA@mail.gmail.com> <519D8244.6050209@mozilla.com>
In-Reply-To: <519D8244.6050209@mozilla.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2013 11:54:00 -0000

Hi Dan,
<hat="individual">
thank you for the info. And a good point.
Tobias


On 23/05/13 03:43, Daniel Veditz wrote:
> On 5/22/2013 3:29 PM, Trevor Perrin wrote:
>> The draft discusses "Preloaded Pin Lists", which are presumably conveyed
>> to the UA from some 3rd party (eg browser vendor).  It seems reasonable
>> for such lists to be created or kept fresh by scanning web sites.  I
>> believe Mozilla is taking this approach to HSTS [1].
>
> Note that Mozilla currently requires sites to specify an HSTS pinning
> time of at least 18 WEEKS to be included in the pre-load list. There
> was concern that sites with shorter pins could have stopped using HSTS
> by time that version of the browser shipped. I personally think that's
> a little strict, but even if we relaxed the requirement to the length
> of a Beta cycle that's still a longer period of time (6 weeks) than
> the maximum 30 days you're suggesting.
>
> This has no direct bearing of whether 30 days is a reasonable max
> pinning length, but I doubt Mozilla would ship a pre-loaded list if
> the lifetime was so short that pins would have expired by time the
> user gets it.
>
> -Dan Veditz
>
>
>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.23.0 | Report a Bug | By Email