- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Nov 2009 00:57:54 -0800
- To: Bil Corry <bil@corry.biz>
- Cc: Gervase Markham <gerv@mozilla.org>, public-webapps@w3.org
On Tue, Nov 10, 2009 at 7:40 PM, Bil Corry <bil@corry.biz> wrote: > Gervase Markham wrote on 10/01/2009 5:51 PM: >> I therefore propose a simple extension to the STS standard; a single >> token to be appended to the end of the header: >> >> lockCA > > One idea to consider, especially for lockCA, is to somehow denote that STS should expire at the same time as the cert, perhaps by omitting max-age or allowing max-age=cert, etc. This will prevent accidentally causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked. Why do we need a browser mechanism for that? It seems like the site can easily compute whatever max-age value it wishes to set. Adam
Received on Wednesday, 11 November 2009 08:59:04 UTC