> On Apr 18, 2018, at 4:52 PM, Richard Barnes <r...@ipv.sx> wrote:
>
> Secondary point. Still don't think we should deliberately include undefined
> fields, e.g., because part of the discussion is whether 16 bits is the right
> size.
16 bits is clearly enough. If the units are hours that gets you ~7.5 years.
Pinning for less than an hour is pointless, it then becomes smaller than
typical DNS TTLs for the TLSA RRset the client got previously, which it can
cache without any pinning.
Pinning for more than 7.5 years is absurd, it only protect clients that connect
less than twice per decade...
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
