On 7 November 2014 13:28, Xiaoyin Liu <[email protected]> wrote: > For instance, if Twitter wants to gracefully switch to HTTP. It needs to > send max-age=0 for twenty years in order to ensure that no one is locked > out. But planning ahead twenty years is impossible. So for Twitter switching > from twenty years to infinity doesn't add more risks.
With something concrete, Paypal just jumped to 2 years: https://twitter.com/equalsJeffH/status/530840852243832833 Maybe Jeff can weigh in on what it took to get to that confidence level and whether he/they would rather have 'infinite'. -tom _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
