W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: STS and lockCA

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Nov 2009 00:57:54 -0800
Message-ID: <7789133a0911110057l172d2421ofa225f84a4382418@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: Gervase Markham <gerv@mozilla.org>, public-webapps@w3.org
On Tue, Nov 10, 2009 at 7:40 PM, Bil Corry <bil@corry.biz> wrote:
> Gervase Markham wrote on 10/01/2009 5:51 PM:
>> I therefore propose a simple extension to the STS standard; a single
>> token to be appended to the end of the header:
>>
>> lockCA
>
> One idea to consider, especially for lockCA, is to somehow denote that STS should expire at the same time as the cert, perhaps by omitting max-age or allowing max-age=cert, etc.  This will prevent accidentally causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked.

Why do we need a browser mechanism for that?  It seems like the site
can easily compute whatever max-age value it wishes to set.

Adam
Received on Wednesday, 11 November 2009 08:59:04 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT