Re: [websec] #57: Re-add an upper limit to max-age

Joseph Bonneau <> Wed, 27 March 2013 23:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4C0421F9007 for <>; Wed, 27 Mar 2013 16:16:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zsjoRgQE3r01 for <>; Wed, 27 Mar 2013 16:16:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2E4E521F8FBE for <>; Wed, 27 Mar 2013 16:16:45 -0700 (PDT)
Received: by with SMTP id bv4so1211596qab.8 for <>; Wed, 27 Mar 2013 16:16:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CWX/P4IhT0S5EIz62YiUACB9v1LXnY9DAf1Z2GYH40Y=; b=iLK1QXESDJzIR6kMJ65L7njmdrrh2HMnaZ7SFyGqvk68F7GfMojZN9iDKT5Gt0b/+g rfBne9sdv9bwRXVZ5HVxh6PAb+Z8df2/KhqvMkOk2PA+0hy7ZVmsyUWTqiek6QDukDWS 9h19V6CbxVgPR4IzGzwQpt8nRdLiuGoTSxKEAGOlWirHRQyFCPVnPiiNY0vkvvfsVS2E J3QAyqk78YbsEi3b5y48/x9UhDn1w0jYvXSXDV64NYs/ieoZVzDLpGVrqRwCF1PvWdKW aKg2RqK8Z0l2/UNONjmpcqso9C+L3UYx8faMj+AGAGWOF4jZMaO42vwx4RG8jchb+5aJ TXTw==
X-Received: by with SMTP id e1mr15100684qao.15.1364426204479; Wed, 27 Mar 2013 16:16:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 27 Mar 2013 16:16:24 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
From: Joseph Bonneau <>
Date: Wed, 27 Mar 2013 19:16:24 -0400
Message-ID: <>
To: Chris Palmer <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<>" <>, websec issue tracker <>, "<>" <>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Mar 2013 23:16:55 -0000

> So, 30 days, or 60 days, we can argue about. But 1 year might be too
> long a time — if we decide to have a mandated max max-age, instead of
> just providing UA implementation advice.
> Is there consensus that we should mandate a max max-age, or consensus
> that we should not?

To me, the question isn't so much about how long sites will want to
set max-age for, it's "How long would HPKP-browser makers allow a
domain to be bricked before caving to pressure to add it to some
whitelist/revocation list?" I think it's inevitable that some
*will* brick themselves using HPKP (or possibly be bricked
maliciously) and then come crawling to Chrome (or other implementing
browsers) asking to be bailed out.

If there were a max-age of 60 days, would the Chrome team take a hard
line of "Sorry, you'll just have to wait it out"? Or would
they ship a patch to disables HPKP for, fearing that otherwise
some users will just switch to another browser to regain access?

If the former is more likely, then a max max-age of 60 days is
reasonable. If the latter is more likely, then I'd argue against
having a max max-age at all and instead plan to deal with failures in
a deus ex machina way.