On Fri, Mar 29, 2013 at 7:05 PM, Yoav Nir <y...@checkpoint.com> wrote: > > Getting back to the subject of the thread, I still don't see the difference > for a site operator between being bricked for 60 days and being bricked for a > year. For an only retailer it's catastrophe either way.
Hi Yoav, There are other things to consider when thinking about pin lifetimes: - Suppose a site foolishly sets a year-long pin to keys that will be expired in 6 months. A client who receives this pin and then visits the site 6 months later will perceive that the site is bricked for the next 6 months. - Suppose a site has a year-long pin to a set of end-entity keys. Suppose these keys are compromised by a hacker. For the next year, the site will be unable to change keys to re-establish security without a risk of "bricking" the site for clients with the old pin. - Suppose you purchase a domain name. The previous owner may have set long-term pins, meaning the name is not fully usable until these expire. So this isn't just a question of "how long might a site outage last". Longer pin lifetimes increase the *possibility* of a site outage, because there will be more old pins out there you have to stay consistent with. I do agree that a 30 or 60 day limit will be cold comfort if you brick your site for that long. Certainly, pinning will need other safeguards. One safeguard could be some sort of "pin activation", where new or changed pins are not accepted immediately, but must be observed for some period of time before they "activate". I know this WG considered a mechanism similar to TACK. TACK's exact mechanism doesn't translate well to HPKP, but perhaps there is something else to be done. It may be worth more thought. Trevor _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec