> So, 30 days, or 60 days, we can argue about. But 1 year might be too > long a time — if we decide to have a mandated max max-age, instead of > just providing UA implementation advice. > > Is there consensus that we should mandate a max max-age, or consensus > that we should not?
To me, the question isn't so much about how long sites will want to set max-age for, it's "How long would HPKP-browser makers allow a domain to be bricked before caving to pressure to add it to some whitelist/revocation list?" I think it's inevitable that some foo.com *will* brick themselves using HPKP (or possibly be bricked maliciously) and then come crawling to Chrome (or other implementing browsers) asking to be bailed out. If there were a max-age of 60 days, would the Chrome team take a hard line of "Sorry foo.com, you'll just have to wait it out"? Or would they ship a patch to disables HPKP for foo.com, fearing that otherwise some users will just switch to another browser to regain access? If the former is more likely, then a max max-age of 60 days is reasonable. If the latter is more likely, then I'd argue against having a max max-age at all and instead plan to deal with failures in a deus ex machina way. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
