On Fri, Mar 22, 2013 at 7:07 PM, Trevor Perrin <tr...@trevp.net> wrote: > With a spec maximum (say 30 days), then you have a clear reference > point to plan around.
Agreed. I have some stats I've been looking at from Google's web crawls about HSTS headers. Out of 12853 hosts I observed setting HSTS, 53% set of a max-age of 1 year. After that it's 15% 30 days, 12% 180 days, 10% 1 day, and a smattering of other choices (with a few large hosts like Twitter setting very long-lived max-age). These are only a rough upper bound on the max-age values that would be set for pins, but it seems a substantial number of hosts would request longer than 30 days, while 1 year will support most likely use cases, so we should probably land somewhere between those two points. The follow-on question is, if UAs allow max-age of 1 year, will there need to be a revocation method to deal with some of the cases that Trevor highlighted? _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec