On Wed, Apr 8, 2015 at 6:00 PM, Phillip Hallam-Baker <[email protected]> wrote: > http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 > > It is a pretty straightforward proposal: > > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field > > There are a few differences in interpretation. All we are trying to do > here is to help people to close the 'secure after first use' hole, not > replace. > > Given that we have quite a bit of use of HSTS headers, providing a > mechanism for publishing this in the DNS looks like being the obvious > approach. > Off topic, but related: "Please add Pinning Pinsets and CSP to App Manifest," https://bugzilla.mozilla.org/show_bug.cgi?id=1158756.
The more channels this information is available the better. Choice is always good. And context specific security information is even better. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
