Re: [websec] #57: Re-add an upper limit to max-age
Joseph Bonneau <jbonneau@gmail.com> Wed, 27 March 2013 23:16 UTC
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4C0421F9007 for <websec@ietfa.amsl.com>; Wed, 27 Mar 2013 16:16:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsjoRgQE3r01 for <websec@ietfa.amsl.com>; Wed, 27 Mar 2013 16:16:45 -0700 (PDT)
Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4E521F8FBE for <websec@ietf.org>; Wed, 27 Mar 2013 16:16:45 -0700 (PDT)
Received: by mail-qa0-f42.google.com with SMTP id bv4so1211596qab.8 for <websec@ietf.org>; Wed, 27 Mar 2013 16:16:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CWX/P4IhT0S5EIz62YiUACB9v1LXnY9DAf1Z2GYH40Y=; b=iLK1QXESDJzIR6kMJ65L7njmdrrh2HMnaZ7SFyGqvk68F7GfMojZN9iDKT5Gt0b/+g rfBne9sdv9bwRXVZ5HVxh6PAb+Z8df2/KhqvMkOk2PA+0hy7ZVmsyUWTqiek6QDukDWS 9h19V6CbxVgPR4IzGzwQpt8nRdLiuGoTSxKEAGOlWirHRQyFCPVnPiiNY0vkvvfsVS2E J3QAyqk78YbsEi3b5y48/x9UhDn1w0jYvXSXDV64NYs/ieoZVzDLpGVrqRwCF1PvWdKW aKg2RqK8Z0l2/UNONjmpcqso9C+L3UYx8faMj+AGAGWOF4jZMaO42vwx4RG8jchb+5aJ TXTw==
X-Received: by 10.224.102.1 with SMTP id e1mr15100684qao.15.1364426204479; Wed, 27 Mar 2013 16:16:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.6.202 with HTTP; Wed, 27 Mar 2013 16:16:24 -0700 (PDT)
In-Reply-To: <CAOuvq21ZjAD3W7RmSLO0OtrE0SZ35nfw_+o+RiaOkxGS6ay0mQ@mail.gmail.com>
References: <058.4066f40ba1a0e0b17085c25af1721605@trac.tools.ietf.org> <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org> <CAGZ8ZG1HsW_SgB4OFRDPZT_3rUwsB8yvYxtE+fSpwLfoyrtHyg@mail.gmail.com> <CAOe4Ui=1ADLZsHrHpFofQW48DpERfAENH0a5zUFta81PejCNUA@mail.gmail.com> <C9FEEDC3-3178-4641-B9D2-6319183AD956@checkpoint.com> <CAOuvq21ZjAD3W7RmSLO0OtrE0SZ35nfw_+o+RiaOkxGS6ay0mQ@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Wed, 27 Mar 2013 19:16:24 -0400
Message-ID: <CAOe4UikHTm=NnDQbB-W3APrGn+MVwQLdf=j3FNsDEDNvna9yng@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<websec@ietf.org>" <websec@ietf.org>, websec issue tracker <trac+websec@grenache.tools.ietf.org>, "<sleevi@google.com>" <sleevi@google.com>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 23:16:55 -0000
> So, 30 days, or 60 days, we can argue about. But 1 year might be too > long a time — if we decide to have a mandated max max-age, instead of > just providing UA implementation advice. > > Is there consensus that we should mandate a max max-age, or consensus > that we should not? To me, the question isn't so much about how long sites will want to set max-age for, it's "How long would HPKP-browser makers allow a domain to be bricked before caving to pressure to add it to some whitelist/revocation list?" I think it's inevitable that some foo.com *will* brick themselves using HPKP (or possibly be bricked maliciously) and then come crawling to Chrome (or other implementing browsers) asking to be bailed out. If there were a max-age of 60 days, would the Chrome team take a hard line of "Sorry foo.com, you'll just have to wait it out"? Or would they ship a patch to disables HPKP for foo.com, fearing that otherwise some users will just switch to another browser to regain access? If the former is more likely, then a max max-age of 60 days is reasonable. If the latter is more likely, then I'd argue against having a max max-age at all and instead plan to deal with failures in a deus ex machina way.
- [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Tobias Gondrom
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Chris Palmer
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Ryan Sleevi
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker