- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Fri, 2 Oct 2009 15:54:50 -0600
- To: <public-webapps@w3.org>
> Gerv had proposed.. > > > > We would like to allow sites to partition the CA space so that compromises > > and problems in other parts of it don't affect them. > > > > I therefore propose a simple extension to the STS standard; a single token > > to be appended to the end of the header: > > > > lockCA Adam Barth replies.. > > This is an interesting proposal. Agreed. > I think we should resist expanding the scope of the core STS proposal. Agreed -- this is what we (PayPal) also desire. > There are many different kinds of tokens one could imagine adding to > mitigate different threat models. Yes, e.g. EVonly > Instead of adding them all in v1, > we should allow / encourage this kind of experimentation by defining a > forwards-compatible grammar for the STS header. Agreed, see the thread entitled "more flexible ABNF for STS?" Since the latter presumably has more-or-less direct implications for one's parser implementation, it'd be best to specify the ABNF + UA impl guidance now, it'd seem. =JeffH
Received on Friday, 2 October 2009 21:55:39 UTC