On 5/22/2013 3:29 PM, Trevor Perrin wrote:
The draft discusses "Preloaded Pin Lists", which are presumably conveyed to the UA from some 3rd party (eg browser vendor). It seems reasonable for such lists to be created or kept fresh by scanning web sites. I believe Mozilla is taking this approach to HSTS [1].
Note that Mozilla currently requires sites to specify an HSTS pinning time of at least 18 WEEKS to be included in the pre-load list. There was concern that sites with shorter pins could have stopped using HSTS by time that version of the browser shipped. I personally think that's a little strict, but even if we relaxed the requirement to the length of a Beta cycle that's still a longer period of time (6 weeks) than the maximum 30 days you're suggesting.
This has no direct bearing of whether 30 days is a reasonable max pinning length, but I doubt Mozilla would ship a pre-loaded list if the lifetime was so short that pins would have expired by time the user gets it.
-Dan Veditz
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
