- From: Steingruebl, Andy <asteingruebl@paypal.com>
- Date: Mon, 17 May 2010 17:49:11 -0600
- To: Henrik Nordström <henrik@henriknordstrom.net>, Michal Zalewski <lcamtuf@coredump.cx>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
> -----Original Message----- > From: public-web-security-request@w3.org [mailto:public-web-security- > request@w3.org] On Behalf Of Henrik Nordström > Sent: Monday, May 17, 2010 4:31 PM > To: Michal Zalewski > Cc: public-web-security@w3.org > Subject: Re: VeriSign feedback/comments on STS -06 > > mån 2010-05-17 klockan 16:17 -0700 skrev Michal Zalewski: > > >> This would make it difficult to enroll (requiring changing all certs). > > > Which is something you do anyway fairly frequently (every year or > > > so) > > > > ...compared to the ability to toggle a HTTP header in a couple > > minutes, for free (and roll back if things go wrong). > > Which imho is too easy. Once enabled it should not be too easy to disable > without clients noticing. We believe that ultimately the site itself must be responsible for setting this policy, including disabling it. Nothing stops someone from building a client-site control. Chrome is even implementing a pre-loaded STS list, and we asked to be included. http://www.chromium.org/sts That said, ultimately the site still knows how best to connect to it, way better than the client does. The client can certainly have a preference, but only the server can be authoritative about what is supported. -- Andy Steingruebl
Received on Monday, 17 May 2010 23:56:05 UTC