- From: Tom Ritter <tom@ritter.vg>
- Date: Sat, 13 Sep 2014 20:35:06 -0500
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10 September 2014 17:29, Ryan Sleevi <sleevi@google.com> wrote: > In more recent years, this has come up again with "mixed-HSTS" and > "mixed-HPKP" discussions (which, unlike Mike, I don't think are a good place > to express these sorts of policies), which themselves then became part of > Joe Bonneau's overall secure-links scheme (see http://www.secure-links.org/ > ) And 'mixed client authentication'. > Ultimately, I agree with Mike - the solution to solve this (generally) is > for UAs to start deprecating things. We're already seeing this with SHA-1 ( > *cough* ), and I think it's very likely we'll start seeing with both TLS > versions and cipher configurations (that we haven't already is more due to > oversight than lack of enthusiasm) ++ I also see a problem that limiting the domain to example.com to load a resource off a CDN has the existing implicit contract that the resource will not change to start loading content off another domain. No such implicit contract exists for ciphersuites, limiting the usefulness. -tom
Received on Sunday, 14 September 2014 01:35:53 UTC