- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Tue, 18 May 2010 17:11:49 -0400
- To: Henrik Nordström <henrik@henriknordstrom.net>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
2010/5/17 Henrik Nordström <henrik@henriknordstrom.net>: > A policy which is equally applicable to all protocols supporting both > plain-text and TLS. > > HTTP, SMTP, IMAP, POP-3, LDAP, you name it. In practice, though, this is needed most for HTTP. Easy-to-MITM clients rarely submit sensitive information over SMTP, IMAP, POP-3, or LDAP, compared to HTTP. It might be nice to adopt a solution that works for all of these, but not if it will slow down adoption for the biggest use-case (HTTP). Do we even have any clients interested in implementing this for anything other than HTTP? > Not a problem for an DNS based approach. That would need to be done > similar to how SRV records is done. DNS is simply untenable until DNSSEC is reliably available. > Yes. But also means that you via your CA certify that you fulfill STS > requirements. What requirements? > CAs have to agree on including the attribute in the signed data yes. That sounds like a needless obstacle to adoption in the HTTP case. There are an awful lot of CAs out there. And sites will want to change the STS expiration a lot more than once a year, especially while it's new and they're trying it out. I'd expect initial deployments to use very short expiration times to ensure they aren't hit by any unforeseen bugs, and only move to multi-month expirations or longer after significant testing.
Received on Tuesday, 18 May 2010 21:12:23 UTC