On Mar 27, 2013, at 7:16 PM, Joseph Bonneau <jbonn...@gmail.com> wrote:
>> So, 30 days, or 60 days, we can argue about. But 1 year might be too >> long a time — if we decide to have a mandated max max-age, instead of >> just providing UA implementation advice. >> >> Is there consensus that we should mandate a max max-age, or consensus >> that we should not? > > To me, the question isn't so much about how long sites will want to > set max-age for, it's "How long would HPKP-browser makers allow a > domain to be bricked before caving to pressure to add it to some > whitelist/revocation list?" I think it's inevitable that some foo.com > *will* brick themselves using HPKP (or possibly be bricked > maliciously) and then come crawling to Chrome (or other implementing > browsers) asking to be bailed out. Hopefully, it's not just Google that implements this. I guess any browser that implements this will have some kind of reset button (like they have for other stuff) that will erase all pins. So the site is not really bricked, but still it's pretty embarrassing to have to have a message on their home page like "Chrome for Mac OS X users of foo.com, due to an administrative error, please select the 'Clear Browsing Data…' menu item from the Chrome menu, select 'the beginning of time' from the dropdown menu, and check the 'dynamic public key pins' box. Then click 'Clear browsing data'. Sorry for the inconvenience." > If there were a max-age of 60 days, would the Chrome team take a hard > line of "Sorry foo.com, you'll just have to wait it out"? Or would > they ship a patch to disables HPKP for foo.com, fearing that otherwise > some users will just switch to another browser to regain access? I don't think any of us like the answer, but this probably depends on who 'foo' is. You don't brick Gmail, Hotmail, Paypal, or any major bank in the US. http://www.brambleberry.com ? I don't see any of the major browser issuing a patch to bail them out. > If the former is more likely, then a max max-age of 60 days is > reasonable. If the latter is more likely, then I'd argue against > having a max max-age at all and instead plan to deal with failures in > a deus ex machina way. _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
