On 26/09/17 03:17, Ryan Sleevi wrote: > update in a year, are arguably outside of the scope of ‘reasonable’ use > cases - the ecosystem itself has shown itself to change on at least that > frequency.
Is "1 year" not a relatively common (for some value of "common") setting for HPKP timeouts for sites which think they have now mastered HPKP? Does anyone have stats on HPKP prevalence and duration distribution? Ideally combined with whether the longer time periods are pinning to roots, intermediates or EE certs? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy