On Tue, May 28, 2013 at 10:16 PM, Yoav Nir <[email protected]> wrote:
> Disagree on that. Banks and other financial institutions are not web > technology companies, but they deal with real money and they have real money > with which to buy such expertise. It's no coincidence that banks were very > early adopters of anti-XSS and anti-CSRF measures, and it's no coincidence > that one of this group's biggest contributors works for Paypal, which is no > less a financial institution than any bank or credit card companies. If we > can't help protect the transactions that involve money, what's the point? Money is not the only important thing to protect. If HPKP "merely" protected email or personal messages or social networks, that would still be pretty awesome — because people often use those systems for things at least as important as money. (E.g. political speech.) Yes, of course I want to also protect people's interactions with their financial institutions. >> Not exactly; I find Trevor's call for simple clarity compelling, but I >> also like a browser-determined limit past which we fail open (for the >> reasons described above). I could happily go either way, which doesn't >> really help, I realize. :) Ryan and I can just make a call one way or >> the other and write it up, is that OK? > > By "fail open", do you mean fail with a warning to the user, or just silently > ignore the pin? Fail with a warning to the user, as described earlier. > So I think we should either set no limits, or set hard limits. I see in a subsequent email, Tobias says: """If either "no-limit" and "hard-limit" would both be ok for you (and others), then I would be strongly in favor of "no-limit".""" I'll go for no-mandated-limit with suggested-limit. Other votes? _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
