Hi Gerv, > On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy > <[email protected]> wrote: > > Is "1 year" not a relatively common (for some value of "common") setting > for HPKP timeouts for sites which think they have now mastered HPKP?
We did a large-scale scan of about 200M domains for HPKP in April 2017. We found a max-age median duration of 1 month and about 10% of domains that set max-age values to 1 year or more. I am attaching the plot. HPKP it missing, as it is very similar to HPKP|HSTS. The associated paper will be camera-ready tomorrow, happy to share it then. > > Does anyone have stats on HPKP prevalence and duration distribution? > Ideally combined with whether the longer time periods are pinning to > roots, intermediates or EE certs? We did not look into that, but it should be doable from the data. Kind regards Quirin
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
