W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: STS and lockCA

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 12 Nov 2009 01:08:00 -0800
Message-ID: <7789133a0911120108j6c945772pa48ff32e845c99@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: Gervase Markham <gerv@mozilla.org>, public-webapps@w3.org
On Wed, Nov 11, 2009 at 7:25 AM, Bil Corry <bil@corry.biz> wrote:
> Would LockCA prevent the site from loading if it encountered a new cert from the same CA?

My understanding is that it would not.

> Or are you talking about a site that wants to switch CAs and is using LockCA?

I think Gervase means that you want some overlap so that folks that
connect to your site the day after you renew your certificate are
protected.

> How about instead there's a way to set the max-age relative to the cert expiration?  So -3024000 is two weeks before the cert expiration and 3024000 is two weeks after.  I'm in agreement with Devdatta that it would be easy for someone to lock out their visitors, and I think this is easier to implement.

That seems overly complicated and contrary to the semantics of max-age
in other HTTP headers.

I'm not convinced we need to paternally second-guess site operators.
Keep in mind that the site operator can supply a lower max-age in a
subsequent request if they realize they screwed up and want to reduce
the duration.  That said, it might be worth caping the max-age at one
or two years.

Adam
Received on Thursday, 12 November 2009 09:09:00 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT