On 28.09.17 19:06, Gervase Markham via dev-security-policy wrote: > On 26/09/17 03:17, Ryan Sleevi wrote: >> update in a year, are arguably outside of the scope of ‘reasonable’ use >> cases - the ecosystem itself has shown itself to change on at least that >> frequency. > > Is "1 year" not a relatively common (for some value of "common") setting > for HPKP timeouts for sites which think they have now mastered HPKP?
IIRC both Chrome and Firefox cap the max-age value of HPKP at 60 days. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy