On Tue, May 7, 2013 at 12:13 AM, Yoav Nir <[email protected]> wrote:
>
> How should we handle the max-max-age issue:
> (1) No hard limits, but allow UAs to limit the pin time. Suggest a month
> (2) Set a hard limit of one month in the RFC. Longer pins are truncated.
> (3) No hard limits, but allow the UA to skip hard-fail if a pin hasn't
> been observed for some time (like a month)
> (4) Adopt some gradual confidence-building scheme a-la-TACK.
>
Hi Yoav,
I suggest this could be viewed as two separate questions:
A) Should there be / what is the spec-mandated max pin lifetime?
- (this is your 1/2/3)
B) How are pin lifetimes set?
- server assertion ("max-age")
- confidence building (eg "pin activation")
- some combination? something else?
These questions are somewhat independent: you could have a spec-mandated
max regardless of whether pin lifetimes are set from server assertions *or*
confidence-building.
Anyways, the first question has been discussed a bunch, and I think it's
reasonable to try to get a consensus. My vote is #2, with "30 days".
The second question hasn't been discussed much, and has some complexity.
Maybe we should try to encourage more discussion / research of the
options, before trying to pull out a consensus?
Trevor
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
