On Mon, April 1, 2013 3:28 pm, Chris Palmer wrote: > On Wed, Mar 27, 2013 at 7:54 PM, Tom Ritter <[email protected]> wrote: > > > " The UA MUST evict all expired Known Pinned Hosts if at any time, an > > expired Known Pinned Host exists in the cache" > > > > I use rrdtool to keep 5 years of statistics for my server. Once, I > > accidentally set the date forward, to 2038, wiping out my statistics - > > there was no way to recover, because rrdtool dutifully wiped all this > > expired data. > > > > Using the word 'evict' seems particularly dangerous, for both active > > ntp attacks, and accidental wiping. > > Yoav says the text works for him. I wonder if we can satisfy both by > saying something like "the UA MUST ignore expired Known Pinned Hosts > in the cache." That way, if the client machine gets its clocked fixed > and the expired KPHs become un-expired, happiness will ensue once > again. Ryan, thoughts? > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec >
Something like that works for me. The spec only needs to ensure that the visible client behaviour remains consistent - and ignoring expired Known Pin Hosts data is the desired effect of the present language, so its fine to specify as this. That said, I expect clients will probably continue with the "evict the cache" approach, which would be fine and spec-compliant. I think there'd only be an issue if there was language being proposed that said clients *should not* evict the cache - as you could make an argument on security considerations using Tom's example. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
