On Fri, Mar 22, 2013 at 2:39 PM, websec issue tracker <[email protected]> wrote: > #57: Re-add an upper limit to max-age > > > Comment (by [email protected]): > > Rather, it was decided that there should be implementation guidance for > setting an upper limit, including discussing the security considerations > /trade-offs of high vs. low maximum max-age values.
So this maximum is a "local policy" decided by the UA? It might be good to also have a spec-mandated maximum. There are cases where you (a domain owner) might have unknown pins or bad pins. For example: - you purchased a domain name from someone - the domain name was victimized by domain hijacking or domain squatting - you misconfigured pins for your domain If there's no spec-mandated maximum, then there's no point in time at which all old pins are guaranteed to have been expired, and you can start referring people to this domain safely. With a spec maximum (say 30 days), then you have a clear reference point to plan around. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
