On Wed, Mar 27, 2013 at 7:54 PM, Tom Ritter <t...@ritter.vg> wrote: > " The UA MUST evict all expired Known Pinned Hosts if at any time, an > expired Known Pinned Host exists in the cache" > > I use rrdtool to keep 5 years of statistics for my server. Once, I > accidentally set the date forward, to 2038, wiping out my statistics - > there was no way to recover, because rrdtool dutifully wiped all this > expired data. > > Using the word 'evict' seems particularly dangerous, for both active > ntp attacks, and accidental wiping.
Yoav says the text works for him. I wonder if we can satisfy both by saying something like "the UA MUST ignore expired Known Pinned Hosts in the cache." That way, if the client machine gets its clocked fixed and the expired KPHs become un-expired, happiness will ensue once again. Ryan, thoughts? _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec