On Tue, Jun 4, 2013 at 3:04 AM, Tobias Gondrom <[email protected]>wrote:
> Hi Trevor, hi all, > > (again no hats) > > actually regarding browser lookups of pin lists: > I rather have the pins work unlimited and all the time even without pin > lists. > > But your idea might in fact be a solution to enable the unlimited pin > times. > Instead of constantly distributing the list of pins, we could actually > have browsers use whitelists of pins that have been "revoked" and where the > browser is allowed to refresh. That could e.g. happen with a browser update. > Hi Tobias, I agree there may need to be a mechanism for browser vendors (or other third parties) to push out "pin revocation lists" that delete bad pins. But if a bad pin occurs, there may be some latency before this list could be updated. And if a lot of bad pins occur, the list might not be large enough to contain them all. So I still think we want strong safeguards (such as max-age limits) to reduce the incidence of bad pins as much as possible. Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
