On Mon, Jan 2, 2012 at 3:29 PM, =JeffH <[email protected]> wrote:
> hm ... I lean towards keeping max-age as REQUIRED (without a default value) > and thus hopefully encouraging deployers to think a bit about this and its > ramifications, and also because its value is so site-specific in terms of a > web application's needs, deployment approach, and tolerance for downside > risk of breaking itself. I feel the same way for public key pinning, for the same reason. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
