Hi Dan, <hat="individual"> thank you for the info. And a good point. Tobias
On 23/05/13 03:43, Daniel Veditz wrote: > On 5/22/2013 3:29 PM, Trevor Perrin wrote: >> The draft discusses "Preloaded Pin Lists", which are presumably conveyed >> to the UA from some 3rd party (eg browser vendor). It seems reasonable >> for such lists to be created or kept fresh by scanning web sites. I >> believe Mozilla is taking this approach to HSTS [1]. > > Note that Mozilla currently requires sites to specify an HSTS pinning > time of at least 18 WEEKS to be included in the pre-load list. There > was concern that sites with shorter pins could have stopped using HSTS > by time that version of the browser shipped. I personally think that's > a little strict, but even if we relaxed the requirement to the length > of a Beta cycle that's still a longer period of time (6 weeks) than > the maximum 30 days you're suggesting. > > This has no direct bearing of whether 30 days is a reasonable max > pinning length, but I doubt Mozilla would ship a pre-loaded list if > the lifetime was so short that pins would have expired by time the > user gets it. > > -Dan Veditz > > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
