Hi folks We think it's time to move on with Key Pinning, as there haven't been substantial issues raised in months. The one outstanding contentious issue is the one in the subject: http://trac.tools.ietf.org/wg/websec/trac/ticket/57
We've heard the argument that allowing pins to exist for indefinitely long can cause a site to be bricked for that period because of simple mistakes like changing certificate vendor or changing ownership of the domain name. We've also heard the counter-argument that some domains are visited infrequently, so short pins would do nothing for them. So here are some options. Please reply to this thread with with your preference. Arguments are good, but "+1" works as well. So… How should we handle the max-max-age issue: (1) No hard limits, but allow UAs to limit the pin time. Suggest a month (2) Set a hard limit of one month in the RFC. Longer pins are truncated. (3) No hard limits, but allow the UA to skip hard-fail if a pin hasn't been observed for some time (like a month) (4) Adopt some gradual confidence-building scheme a-la-TACK. "None of the above" is possible, but MUST come with argument and proposed text. Let's give this until Wednesday, 22-May. Thanks Tobias & Yoav _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
