Hi, Tobias On May 23, 2013, at 12:02 AM, Tobias Gondrom <tobias.gond...@gondrom.org<mailto:tobias.gond...@gondrom.org>> wrote:
<snip /> On Thu, May 16, 2013 at 12:58 AM, Tobias Gondrom <tobias.gond...@gondrom.org<mailto:tobias.gond...@gondrom.org>> wrote: as mentioned before: I believe a time limit of 1 month is too short considering that some of the high profile use cases (banks, etc.) may only have monthly or bi-monthly usage. In which case the key pin would regularly expire before people return to the site and the protection is null. You're assuming that pin assertions (like HPKP headers) are only processed by individual browsers. I hope pin assertions will *also* be processed by web crawlers to create pin lists which are made available to browsers (via preloaded lists, secure links, online lookups, etc.) In that case, having pins last a month (instead of shorter) keeps the frequency of re-crawling sites and re-downloading pin lists manageable. Longer pins wouldn't be a big improvement.# The web crawler idea could be interesting as a solution to early pin expiry if we would have a hard limit in the RFC, but only if _all_ browsers will implement and use them. Which from my current understanding is not on the horizon. At least I have seen no such indications. Otherwise you get the varying implementations through "creative approaches" you are worried about down below (and which I don't like either). And maybe a question to go a step further: Would you agree that if we would do a 30-day hard limit as you propose, this would basically mean that all less frequent banking/paypal/... users MUST (or a very strong SHOULD) use such a web crawler to make sure that their pin has not expired before they come back? This would be a big problem in my eyes, as IMHO this assumption can not be guaranteed nor expected to be rolled out consistently. There is an alternative to the web crawler (although the crawler would be better). Your browser could refresh the pins in the background. If the pin is about to expire (say, in 7 days) and you have an Internet connection, the browser can silently open a connection to the server, see that the SSL handshake fits the pin, and refresh the entry in the local pin database. This won't scale very well if every site on the Internet has pins, but I don't really expect anyone to note more than several tens of pins (banking sites, some government, maybe things that accept credit cards). With less than 100 sites, you can make do with noting 3-4 pins per day, which shouldn't consume too much traffic. I guess browsers would stop refreshing pins if you don't visit the site for a year. Yoav
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
