Thanks Trevor. Ok so if we set the Max Age to 1 day or 10 days or 30 or 90 so what are the realistic impacts? Increased Infrastructure how much? I have not seen the tradeoffs cost(risks or added infrastructure) vs. benefits. I have been reading the argument pro's and con's and the issue does not seem to be an engineering one it is a business/risk management issue. Upset customers, security, operations costs etc.. Not knowing the business cases and true costs I would go with 28 days if a hard limit must be set. That seems long to me yet within most business systems reporting cycles etc..
Just my thoughts Chuck From: Trevor Perrin [mailto:[email protected]] Sent: Tuesday, June 04, 2013 12:32 PM To: Sheehe, Charles J. (GRC-DPC0) Cc: <[email protected]> Subject: Re: [websec] Consensus call: Issue #57 (max-max-age) On Tue, Jun 4, 2013 at 6:03 AM, Sheehe, Charles J. (GRC-DPC0) <[email protected]<mailto:[email protected]>> wrote: Why can't the Max-Max-AGE equal a formula Max age= (average usage)*2+1day Hi Charles, In the case of frequently visited sites, that would shrink pin lifetimes to the point that even a brief interruption of browsing habits (vacation, etc.) would deactivate the pins. Also, that wouldn't guarantee an upper-bound on pin lifetimes. While opinions differ on this, I think a guaranteed upper-bound is desirable, to provide sites clarity on how long ill-effects from pinning might last. Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
