On Wed, 8 Mar 2017 16:28:35 +0100 Alexander Wuerstlein <[email protected]> wrote:
> There is another factor if one is bold enough to use it: The max-age > of HPKP-Pins and administrative change time and TTL of TLSA DNS > entries. Especially HPKP max-age must be _added_ to the > aforementioned times if there is a chance that one would change the > keypair when obtaining a new certificate. Recommendations for max-age > are in the order of a month or even more. This is one of the reasons why these days I tend to advise against HPKP with the exception of high risk sites. There's just far too much that can go wrong with HPKP. My recommendation: For most people don't use HPKP. If you feel you have a high risk of being a target of state-level adversaries you can consider HPKP, but you should know really well what the various caveats are and have a good plan for everything that can go wrong. And before you use HPKP there are various other less risky things you can do, e.g. monitoring CT logs. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
