W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

RE: STS and lockCA

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Fri, 2 Oct 2009 15:54:50 -0600
Message-ID: <F184CAD0C947F3418351F992AF37D7E009E6F572@DEN-EXM-04.corp.ebay.com>
To: <public-webapps@w3.org>
> Gerv had proposed..
> >
> > We would like to allow sites to partition the CA space so that
compromises
> > and problems in other parts of it don't affect them.
> >
> > I therefore propose a simple extension to the STS standard; a single
token
> > to be appended to the end of the header:
> >
> > lockCA



Adam Barth replies..
> 
> This is an interesting proposal.  

Agreed.


> I think we should resist expanding the scope of the core STS proposal.

Agreed -- this is what we (PayPal) also desire.


>  There are many different kinds of tokens one could imagine adding to
> mitigate different threat models. 

Yes, e.g. EVonly


> Instead of adding them all in v1,
> we should allow / encourage this kind of experimentation by defining a
> forwards-compatible grammar for the STS header.

Agreed, see the thread entitled "more flexible ABNF for STS?"

Since the latter presumably has more-or-less direct implications for
one's parser implementation, it'd be best to specify the ABNF + UA impl
guidance now, it'd seem.

=JeffH
Received on Friday, 2 October 2009 21:55:39 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT