On Tue, Nov 10, 2009 at 7:40 PM, Bil Corry <b...@corry.biz> wrote: > Gervase Markham wrote on 10/01/2009 5:51 PM: >> I therefore propose a simple extension to the STS standard; a single >> token to be appended to the end of the header: >> >> lockCA > > One idea to consider, especially for lockCA, is to somehow denote that STS > should expire at the same time as the cert, perhaps by omitting max-age or > allowing max-age=cert, etc. This will prevent accidentally causing STS to > last longer or shorter than the cert expiration, especially when it's rotated > out or revoked.
Why do we need a browser mechanism for that? It seems like the site can easily compute whatever max-age value it wishes to set. Adam