On Tue, Jul 3, 2012 at 3:18 PM, Peter Saint-Andre <[email protected]> wrote:
> more testing before you deploy interesting architectures". Eric is right > that the negative consequences of getting it wrong here are more > significant than with DNS because the TTL of a pinned cert is much > longer than the TTL of a DNS record. Thus if you want to use HSTS, you > need to be more careful. Certainly it seems that an implementation note > would be warranted. I tend to agree with Jeff that if people feel a > strong need for this, they can do so in a separate I-D (I don't > particularly see a need for it to go into the core spec, but I might be > missing something). (HSTS is not the same as pinning, fwiw.) In my pinning draft (as it currently stands), you can set any TTL (max-age) you want; in TACK, you can revoke a pin any time you want. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
