> On Apr 18, 2018, at 4:52 PM, Richard Barnes <r...@ipv.sx> wrote: > > Secondary point. Still don't think we should deliberately include undefined > fields, e.g., because part of the discussion is whether 16 bits is the right > size.
16 bits is clearly enough. If the units are hours that gets you ~7.5 years. Pinning for less than an hour is pointless, it then becomes smaller than typical DNS TTLs for the TLSA RRset the client got previously, which it can cache without any pinning. Pinning for more than 7.5 years is absurd, it only protect clients that connect less than twice per decade... -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls