A big use case that we want to support for our apps is to be able to push out security policy for domains that we know are being targeted.
We can't push out security policy for every site on the Web into clients but we can easily cover the top 95% of targeted sites with a pretty short list of policy statements. And a huge sub case here would be to pull up security policy for an employer's site for a company machine. This is done today with real utility but its all proprietary. But that really should be agile across multiple protocols. So for example, HTTP, IMAP, POP3 On Fri, Oct 14, 2011 at 8:56 PM, Tom Ritter <[email protected]> wrote: > On 14 October 2011 18:05, =JeffH <[email protected]> wrote: > > from <https://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00> : > > > > Thoughts? > > I agree. Separating it into a header may also enable it to find its > way into other protocols that travel over TLS, and reuse some of the > same parsing/validation code. > > -tom > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
