RE: VeriSign feedback/comments on STS -06

> -----Original Message-----
> From: [mailto:public-web-security-
>] On Behalf Of Henrik Nordström
> Sent: Monday, May 17, 2010 4:31 PM
> To: Michal Zalewski
> Cc:
> Subject: Re: VeriSign feedback/comments on STS -06
> mån 2010-05-17 klockan 16:17 -0700 skrev Michal Zalewski:
> > >> This would make it difficult to enroll (requiring changing all certs).
> > > Which is something you do anyway fairly frequently (every year or
> > > so)
> >
> > ...compared to the ability to toggle a HTTP header in a couple
> > minutes, for free (and roll back if things go wrong).
> Which imho is too easy. Once enabled it should not be too easy to disable
> without clients noticing.

We believe that ultimately the site itself must be responsible for setting this policy, including disabling it.  Nothing stops someone from building a client-site control.  Chrome is even implementing a pre-loaded STS list, and we asked to be included.

That said, ultimately the site still knows how best to connect to it, way better than the client does.  The client can certainly have a preference, but only the server can be authoritative about what is supported.

Andy Steingruebl

Received on Monday, 17 May 2010 23:56:05 UTC