On 6/30/12 9:22 AM, Tobias Gondrom wrote: > <hat="individual"> > I tend to agree with Jeff and Andy's comments. > > The real use case / need for "report-only" is not fully clear to me. > Yes, it could always be nice to have one more test-case to run before > going life with a system, but IMHO I am having a hard time seeing where > this flag would really add value. > And we should not add features (and complexity) as for "report-only" to > an I-D just for the sake of it and because they might one day be > possibly help for an unclear or theoretical use-case.
Here is my reading of the thread. The examples that Alexey and Eric mentioned don't seem far-fetched (OCSP down, load-balancing between multiple certs). However, it's not clear to me that they are of significant concern, either. In both cases (and perhaps others), the response seems to be something like "use a better OCSP service" or "do more testing before you deploy interesting architectures". Eric is right that the negative consequences of getting it wrong here are more significant than with DNS because the TTL of a pinned cert is much longer than the TTL of a DNS record. Thus if you want to use HSTS, you need to be more careful. Certainly it seems that an implementation note would be warranted. I tend to agree with Jeff that if people feel a strong need for this, they can do so in a separate I-D (I don't particularly see a need for it to go into the core spec, but I might be missing something). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
