On Wed, Apr 18, 2018 at 05:01:54PM -0400, Richard Barnes wrote: > On Wed, Apr 18, 2018 at 4:56 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> > wrote: > > > On Apr 18, 2018, at 4:52 PM, Richard Barnes <r...@ipv.sx> wrote: > > > > > > Secondary point. Still don't think we should deliberately include > > undefined fields, e.g., because part of the discussion is whether 16 bits > > is the right size. > > > > 16 bits is clearly enough. If the units are hours that gets you ~7.5 > > years. Pinning for less than an hour is pointless, it then becomes smaller > > than typical DNS TTLs for the TLSA RRset the client got previously, which > > it can cache without any pinning. > > > > Pinning for more than 7.5 years is absurd, it only protect clients that > > connect less than twice per decade... > > 640k should be enough for anyone.
That's just silly. Really, 7.5 years (relative, not absolute) measured in hours is plenty good enough, and more than outlives current device obsolescence. This isn't subject to Moore's law or anything like it. > `preload`? `includeSubdomains`? Experience with HSTS and HPKP shows you > need more than an integer. No, we need none of those things. We want only to pin the presence of this extension. Anything else would be operationally difficult (as seen with HPKP). As to subdomains, we're willing to live with TOFU semantics for all of them. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
